[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?

Wed May 2 15:32:56 UTC 2007
Paul Heinlein <heinlein at madboa.com>

On Wed, 2 May 2007, Barry Brimer wrote:

> Quoting Paul Heinlein <heinlein at madboa.com>:
>
>> On Wed, 2 May 2007, Dan Mensom wrote:
>>
>>> Has anyone set up any form of apache user isolation on CentOS? I 
>>> have multiple virtual hosts on my machine, run by users who do not 
>>> trust eachother. The problem is that any php script run by apache 
>>> is able to do things like raw file io on other users' .htpasswds, 
>>> php scripts, hidden directory listings, and so on. Database 
>>> passwords can even be divulged in this way, since they are often 
>>> stored in .php scripts, which can be read "in the raw" as files by 
>>> other php scripts.
>>>
>>> What is the easiest method for dealing with this? I found 
>>> http://webauth.stanford.edu/manual/mod/perchild.html but it does 
>>> not seem to be compiled with the CentOS 5 apache, and I've read 
>>> elsewhere that php has issues with mutlithreaded apache. Is there 
>>> any easy way to isolate individual users, by either having apache 
>>> setuid, or chrooting php scripts, or (ugh) a clean way to run a 
>>> new apache copy for each vhost?
>>
>> One "using a canon to kill a fly" approach would be
>>
>>   * each vhost runs Apache under a vhost-specific uid/gid and
>>     bound only to the loopback interface on a port you
>>     assign, e.g.,
>>
>>     vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001
>>     vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002
>>
>>   * the main apache does little but reverse proxy all the
>>     vhosts out to the Internet.
>>
>>     <VirtualHost *:80>
>>       ServerName vhost01.domain
>>       ProxyRequests Off
>>       ProxyPass / http://localhost:6001/
>>       ProxyPassReverse / http://localhost:6001/
>>       <Proxy *>
>>         Order deny,allow
>>         Allow from all
>>       </Proxy>
>>     </VirtualHost>
>>
>> Given the right file permissions, no vhost would have access to 
>> another except via HTTP.
>>
>> Downside: You're essentially doubling the number of Apache 
>> processes on your system. Another Upside: Configuration blunders in 
>> the vhosts won't throw errors in your main server process.
>
> I had previously considered this, but never went anywhere with it. 
> Would you also need something like mod_proxy_html to rewrite HTML on 
> the fly, or would that not be required in this case?

At a minimum, you'd need mod_proxy and mod_proxy_http. Other modules 
might be required to tunnel SSL or whatever.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/