[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?

Wed May 2 12:09:51 UTC 2007
Jim Perrin <jperrin at gmail.com>

On 5/2/07, Dan Mensom <mensomman at yahoo.com> wrote:
> Has anyone set up any form of apache user isolation on CentOS? I have
> multiple virtual hosts on my machine, run by users who do not trust
> eachother. The problem is that any php script run by apache is able to do
> things like raw file io on other users' .htpasswds, php scripts, hidden
> directory listings, and so on. Database passwords can even be divulged in
> this way, since they are often stored in .php scripts, which can be read
> "in the raw" as files by other php scripts.
>
> What is the easiest method for dealing with this? I found
> http://webauth.stanford.edu/manual/mod/perchild.html but it does not seem
> to be compiled with the CentOS 5 apache, and I've read elsewhere that php
> has issues with mutlithreaded apache. Is there any easy way to isolate
> individual users, by either having apache setuid, or chrooting php
> scripts, or (ugh) a clean way to run a new apache copy for each vhost?

Apache gets interesting for things like this. Mostly you can use
selinux and the suexec function for apache to run processes as users.
This will get you the separation your users want, however it will only
apply to php if you run php as a cgi, and not as a module. You'll take
a performance hit doing it this way, but it should do everything you
want.


-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell