[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?
Paul Heinlein
heinlein at madboa.com
Wed May 2 15:13:13 UTC 2007
On Wed, 2 May 2007, Dan Mensom wrote:
> Has anyone set up any form of apache user isolation on CentOS? I
> have multiple virtual hosts on my machine, run by users who do not
> trust eachother. The problem is that any php script run by apache is
> able to do things like raw file io on other users' .htpasswds, php
> scripts, hidden directory listings, and so on. Database passwords
> can even be divulged in this way, since they are often stored in
> .php scripts, which can be read "in the raw" as files by other php
> scripts.
>
> What is the easiest method for dealing with this? I found
> http://webauth.stanford.edu/manual/mod/perchild.html but it does not
> seem to be compiled with the CentOS 5 apache, and I've read
> elsewhere that php has issues with mutlithreaded apache. Is there
> any easy way to isolate individual users, by either having apache
> setuid, or chrooting php scripts, or (ugh) a clean way to run a new
> apache copy for each vhost?
One "using a canon to kill a fly" approach would be
* each vhost runs Apache under a vhost-specific uid/gid and
bound only to the loopback interface on a port you
assign, e.g.,
vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001
vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002
* the main apache does little but reverse proxy all the
vhosts out to the Internet.
<VirtualHost *:80>
ServerName vhost01.domain
ProxyRequests Off
ProxyPass / http://localhost:6001/
ProxyPassReverse / http://localhost:6001/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
Given the right file permissions, no vhost would have access to
another except via HTTP.
Downside: You're essentially doubling the number of Apache processes
on your system. Another Upside: Configuration blunders in the vhosts
won't throw errors in your main server process.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the CentOS
mailing list