On Sep 30, 2011 1:49 PM, "Michael Crilly" mrcrilly@gmail.com wrote:
I'm not sure why you would want each website on its own Apache process (as that just isn't needed), but some of the ideas here are a bit... over-the-top.
There are a few options of improving the security of your Apache setup.
You
can use something like FastCGI based PHP applications or suPHP; both
FastCGI
and suPHP will enable Apache to drop down to a lower privileged user when accessing a website. This basically eliminates the chance that one website being hacked means all your websites being hacked. The reason for this is because the ownership of each website will be the user who owns the
website.
So in an example example1.com would be owned by example_user_1 and as
such,
the ownership of the files would be something like: example_user_1:example_user_1 and rw-r--r--.
You don't really need to go beyond this to "secure" each site.
I hope this helps.
On 30 September 2011 19:15, Trey Dockendorf treydock@gmail.com wrote:
On Sep 30, 2011 11:43 AM, "John R Pierce" pierce@hogranch.com wrote:
On 09/30/11 9:26 AM, Trey Dockendorf wrote:
However they also want to have the CMS write to the .htaccess files to dynamically
control
which users can access the dowloads portion of the sites. That Im
strongly
against.
CMS systems almost always use their own authentication and downloading mechanisms, they don't rely on .htaccess for anything other than possibily configuring whatever specific apache settings they need (cgi-bin, etc)
-- john r pierce N 37, W 122 santa cruz ca mid-left coast
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I agree, unfortunately my role is the sysadmin for this project, not the developer. Im running dozens of instances using Drupal, Wordpress and Mediawiki all very successfully and securely without ever having to
think
about these types of security measures. Once I get through the red tape
of
being allowed to pen test my own servers, then I'll have a better idea
how
well I've done.
- Trey
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That does thanks!
- Trey