[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?
Paul Heinlein
heinlein at madboa.com
Wed May 2 15:32:56 UTC 2007
On Wed, 2 May 2007, Barry Brimer wrote:
> Quoting Paul Heinlein <heinlein at madboa.com>:
>
>> On Wed, 2 May 2007, Dan Mensom wrote:
>>
>>> Has anyone set up any form of apache user isolation on CentOS? I
>>> have multiple virtual hosts on my machine, run by users who do not
>>> trust eachother. The problem is that any php script run by apache
>>> is able to do things like raw file io on other users' .htpasswds,
>>> php scripts, hidden directory listings, and so on. Database
>>> passwords can even be divulged in this way, since they are often
>>> stored in .php scripts, which can be read "in the raw" as files by
>>> other php scripts.
>>>
>>> What is the easiest method for dealing with this? I found
>>> http://webauth.stanford.edu/manual/mod/perchild.html but it does
>>> not seem to be compiled with the CentOS 5 apache, and I've read
>>> elsewhere that php has issues with mutlithreaded apache. Is there
>>> any easy way to isolate individual users, by either having apache
>>> setuid, or chrooting php scripts, or (ugh) a clean way to run a
>>> new apache copy for each vhost?
>>
>> One "using a canon to kill a fly" approach would be
>>
>> * each vhost runs Apache under a vhost-specific uid/gid and
>> bound only to the loopback interface on a port you
>> assign, e.g.,
>>
>> vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001
>> vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002
>>
>> * the main apache does little but reverse proxy all the
>> vhosts out to the Internet.
>>
>> <VirtualHost *:80>
>> ServerName vhost01.domain
>> ProxyRequests Off
>> ProxyPass / http://localhost:6001/
>> ProxyPassReverse / http://localhost:6001/
>> <Proxy *>
>> Order deny,allow
>> Allow from all
>> </Proxy>
>> </VirtualHost>
>>
>> Given the right file permissions, no vhost would have access to
>> another except via HTTP.
>>
>> Downside: You're essentially doubling the number of Apache
>> processes on your system. Another Upside: Configuration blunders in
>> the vhosts won't throw errors in your main server process.
>
> I had previously considered this, but never went anywhere with it.
> Would you also need something like mod_proxy_html to rewrite HTML on
> the fly, or would that not be required in this case?
At a minimum, you'd need mod_proxy and mod_proxy_http. Other modules
might be required to tunnel SSL or whatever.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the CentOS
mailing list