[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?

Wed May 2 15:18:05 UTC 2007
Barry Brimer <lists at brimer.org>

Quoting Paul Heinlein <heinlein at madboa.com>:

> On Wed, 2 May 2007, Dan Mensom wrote:
>
> > Has anyone set up any form of apache user isolation on CentOS? I
> > have multiple virtual hosts on my machine, run by users who do not
> > trust eachother. The problem is that any php script run by apache is
> > able to do things like raw file io on other users' .htpasswds, php
> > scripts, hidden directory listings, and so on. Database passwords
> > can even be divulged in this way, since they are often stored in
> > .php scripts, which can be read "in the raw" as files by other php
> > scripts.
> >
> > What is the easiest method for dealing with this? I found
> > http://webauth.stanford.edu/manual/mod/perchild.html but it does not
> > seem to be compiled with the CentOS 5 apache, and I've read
> > elsewhere that php has issues with mutlithreaded apache. Is there
> > any easy way to isolate individual users, by either having apache
> > setuid, or chrooting php scripts, or (ugh) a clean way to run a new
> > apache copy for each vhost?
>
> One "using a canon to kill a fly" approach would be
>
>   * each vhost runs Apache under a vhost-specific uid/gid and
>     bound only to the loopback interface on a port you
>     assign, e.g.,
>
>     vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001
>     vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002
>
>   * the main apache does little but reverse proxy all the
>     vhosts out to the Internet.
>
>     <VirtualHost *:80>
>       ServerName vhost01.domain
>       ProxyRequests Off
>       ProxyPass / http://localhost:6001/
>       ProxyPassReverse / http://localhost:6001/
>       <Proxy *>
>         Order deny,allow
>         Allow from all
>       </Proxy>
>     </VirtualHost>
>
> Given the right file permissions, no vhost would have access to
> another except via HTTP.
>
> Downside: You're essentially doubling the number of Apache processes
> on your system. Another Upside: Configuration blunders in the vhosts
> won't throw errors in your main server process.

I had previously considered this, but never went anywhere with it.  Would you
also need something like mod_proxy_html to rewrite HTML on the fly, or would
that not be required in this case?