On Sep 30, 2011 10:58 AM, "Drew" drew.kay@gmail.com wrote:
I think Trey needs to push back - *IF* I understand him correctly, it sounds like duplicate websites, but running as different users. That,
to
me, literally makes no sense...mmmm, unless a) the source of the request doesn't understand what he wants, or b) there's something illegal going on, and users going to a different site have different things happening, based on data/database content.
The way I interpreted it he want's it setup so each domain (example1.com, example2.com, etc) to each runs it's own Apache server under an unprivileged login (apache1, apache2, etc). Chroot's should accomplish that easy enough. He then wants to use the same CMS (Joomla, Wordpress, etc) on each site. My assumption is he's hosting several CMS sites and want's each isolated so a compromise of one won't compromise the others.
What is confusing is what he means by 'codebase?' Does he want each chroot to have it's own independent copy? Or does he want to share the CMS core files across all instances?
-- Drew _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sorry if my question is confusing, I really dont fully understand the request myself.
So a single codebase would be only one set of PHP files of the CMS to manage each subdomain. The problem with this request I think is a lack of understanding on what they want vs how it should be done in Apache. The goal I think is to keep each site from being effected by one another. So if one is compromised then it wont threaten all the sites. However they also want to have the CMS write to the .htaccess files to dynamically control which users can access the dowloads portion of the sites. That Im strongly against.
Really I think this would be overkill once standard security measures are used with a good IDS ( OSSEC) and thorough penetration testing. I also need to be able to implement this all with Puppet which is my requirement. Things like a chroot cant easily be done with Puppet yet, or at least that Im aware.
Could SElinux isolate sites while still allowing Apache access? I have little knowledge of how to do this with SElinux but I know I could do it with Puppet.
- Trey