On Wed, 2 May 2007, Barry Brimer wrote: > Quoting Paul Heinlein <heinlein at madboa.com>: > >> On Wed, 2 May 2007, Dan Mensom wrote: >> >>> Has anyone set up any form of apache user isolation on CentOS? I >>> have multiple virtual hosts on my machine, run by users who do not >>> trust eachother. The problem is that any php script run by apache >>> is able to do things like raw file io on other users' .htpasswds, >>> php scripts, hidden directory listings, and so on. Database >>> passwords can even be divulged in this way, since they are often >>> stored in .php scripts, which can be read "in the raw" as files by >>> other php scripts. >>> >>> What is the easiest method for dealing with this? I found >>> http://webauth.stanford.edu/manual/mod/perchild.html but it does >>> not seem to be compiled with the CentOS 5 apache, and I've read >>> elsewhere that php has issues with mutlithreaded apache. Is there >>> any easy way to isolate individual users, by either having apache >>> setuid, or chrooting php scripts, or (ugh) a clean way to run a >>> new apache copy for each vhost? >> >> One "using a canon to kill a fly" approach would be >> >> * each vhost runs Apache under a vhost-specific uid/gid and >> bound only to the loopback interface on a port you >> assign, e.g., >> >> vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001 >> vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002 >> >> * the main apache does little but reverse proxy all the >> vhosts out to the Internet. >> >> <VirtualHost *:80> >> ServerName vhost01.domain >> ProxyRequests Off >> ProxyPass / http://localhost:6001/ >> ProxyPassReverse / http://localhost:6001/ >> <Proxy *> >> Order deny,allow >> Allow from all >> </Proxy> >> </VirtualHost> >> >> Given the right file permissions, no vhost would have access to >> another except via HTTP. >> >> Downside: You're essentially doubling the number of Apache >> processes on your system. Another Upside: Configuration blunders in >> the vhosts won't throw errors in your main server process. > > I had previously considered this, but never went anywhere with it. > Would you also need something like mod_proxy_html to rewrite HTML on > the fly, or would that not be required in this case? At a minimum, you'd need mod_proxy and mod_proxy_http. Other modules might be required to tunnel SSL or whatever. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/