Quoting Paul Heinlein <heinlein at madboa.com>: > On Wed, 2 May 2007, Dan Mensom wrote: > > > Has anyone set up any form of apache user isolation on CentOS? I > > have multiple virtual hosts on my machine, run by users who do not > > trust eachother. The problem is that any php script run by apache is > > able to do things like raw file io on other users' .htpasswds, php > > scripts, hidden directory listings, and so on. Database passwords > > can even be divulged in this way, since they are often stored in > > .php scripts, which can be read "in the raw" as files by other php > > scripts. > > > > What is the easiest method for dealing with this? I found > > http://webauth.stanford.edu/manual/mod/perchild.html but it does not > > seem to be compiled with the CentOS 5 apache, and I've read > > elsewhere that php has issues with mutlithreaded apache. Is there > > any easy way to isolate individual users, by either having apache > > setuid, or chrooting php scripts, or (ugh) a clean way to run a new > > apache copy for each vhost? > > One "using a canon to kill a fly" approach would be > > * each vhost runs Apache under a vhost-specific uid/gid and > bound only to the loopback interface on a port you > assign, e.g., > > vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001 > vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002 > > * the main apache does little but reverse proxy all the > vhosts out to the Internet. > > <VirtualHost *:80> > ServerName vhost01.domain > ProxyRequests Off > ProxyPass / http://localhost:6001/ > ProxyPassReverse / http://localhost:6001/ > <Proxy *> > Order deny,allow > Allow from all > </Proxy> > </VirtualHost> > > Given the right file permissions, no vhost would have access to > another except via HTTP. > > Downside: You're essentially doubling the number of Apache processes > on your system. Another Upside: Configuration blunders in the vhosts > won't throw errors in your main server process. I had previously considered this, but never went anywhere with it. Would you also need something like mod_proxy_html to rewrite HTML on the fly, or would that not be required in this case?