Brett Parker wrote:
Bing bing bing bing... Err, well... that's not so good really is it... .htaccess files in the *writable* directory? ;)
Hmmm.... Well the .htaccess could be readable but not writeable by Apache, couldn't it?
Better to run a script that generates a file for apache's conf.d directory with the right set of directives in it...
OK, I'm game...
So, *who* has write access to the directories is the obvious question,
At the moment, the owner of all files is the site's owner (who has read/write access), and the group is the same as the owner, except that Apache is added to that group. Eg the files are chown'd to joebloggs.joebloggs, and the www-data (ie Apache) user is added to the joebloggs group.
Files and directories are then generally chmod 644 or 640 so that the user can still modify the files but Apache can only read them, except where it needs write access in which case chmod g+w is applied.
and then the next fun bit is to work out which files need to be roughly parsed in order to get the list of directories to search,
That could be hard coded for my needs, or more generally (but still really just for me) I can tell you that all sites sit in the following directory structure: <somedir><sitename><htdocs> where <somedir> is common to all sites.
I think it should be assumed that all subdirectories of a writeable directory are also writeable.
and then after that needing to know all the modules that are enabled that could cause issues... (mod_php, mod_perl, mod_python, mod_blahdefoo) and have a snippet to disable them.
A generic "disable everything" (for some value of "everything") would suffice; Apache should be able to serve the files directly but not run them.
The script itself once the variables are out of the way is the easy part... ;)
That perhaps depends on ones shell (or other) scripting skills....
Another thought: a script which checks for problems (but doesn't fix them) might be easier; run from cron it could alert me to deal with the problem manually.
Mark Rogers