[CentOS] Running Apache sites as separate users

Fri Sep 30 16:26:54 UTC 2011
Trey Dockendorf <treydock at gmail.com>

On Sep 30, 2011 10:58 AM, "Drew" <drew.kay at gmail.com> wrote:
>
> > I think Trey needs to push back - *IF* I understand him correctly, it
> > sounds like duplicate websites, but running as different users.  That,
to
> > me, literally makes no sense...mmmm, unless a) the source of the request
> > doesn't understand what he wants, or b) there's something illegal going
> > on, and users going to a different site have different things happening,
> > based on data/database content.
>
> The way I interpreted it he want's it setup so each domain
> (example1.com, example2.com, etc) to each runs it's own Apache server
> under an unprivileged login (apache1, apache2, etc). Chroot's should
> accomplish that easy enough. He then wants to use the same CMS
> (Joomla, Wordpress, etc) on each site. My assumption is he's hosting
> several CMS sites and want's each isolated so a compromise of one
> won't compromise the others.
>
> What is confusing is what he means by 'codebase?' Does he want each
> chroot to have it's own independent copy? Or does he want to share the
> CMS core files across all instances?
>
>
> --
> Drew
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Sorry if my question is confusing, I really dont fully understand the
request myself.

So a single codebase would be only one set of PHP files of the CMS to manage
each subdomain.  The problem with this request I think is a lack of
understanding on what they want vs how it should be done in Apache.  The
goal I think is to keep each site from being effected by one another.  So if
one is compromised then it wont threaten all the sites.  However they also
want to have the CMS write to the .htaccess files to dynamically control
which users can access the dowloads portion of the sites.  That Im strongly
against.

Really I think this would be overkill once standard security measures are
used with a good IDS ( OSSEC) and thorough penetration testing.  I also need
to be able to implement this all with Puppet which is my requirement.
Things like a chroot cant easily be done with Puppet yet, or at least that
Im aware.

Could SElinux isolate sites while still allowing Apache access?  I have
little knowledge of how to do this with SElinux but I know I could do it
with Puppet.

- Trey