On Sep 30, 2011 1:49 PM, "Michael Crilly" <mrcrilly at gmail.com> wrote: > > I'm not sure why you would want each website on its own Apache process (as > that just isn't needed), but some of the ideas here are a bit... > over-the-top. > > There are a few options of improving the security of your Apache setup. You > can use something like FastCGI based PHP applications or suPHP; both FastCGI > and suPHP will enable Apache to drop down to a lower privileged user when > accessing a website. This basically eliminates the chance that one website > being hacked means all your websites being hacked. The reason for this is > because the ownership of each website will be the user who owns the website. > So in an example example1.com would be owned by example_user_1 and as such, > the ownership of the files would be something like: > example_user_1:example_user_1 and rw-r--r--. > > You don't really need to go beyond this to "secure" each site. > > I hope this helps. > > On 30 September 2011 19:15, Trey Dockendorf <treydock at gmail.com> wrote: > > > On Sep 30, 2011 11:43 AM, "John R Pierce" <pierce at hogranch.com> wrote: > > > > > > On 09/30/11 9:26 AM, Trey Dockendorf wrote: > > > > However they also > > > > want to have the CMS write to the .htaccess files to dynamically > > control > > > > which users can access the dowloads portion of the sites. That Im > > strongly > > > > against. > > > > > > CMS systems almost always use their own authentication and downloading > > > mechanisms, they don't rely on .htaccess for anything other than > > > possibily configuring whatever specific apache settings they need > > > (cgi-bin, etc) > > > > > > -- > > > john r pierce N 37, W 122 > > > santa cruz ca mid-left coast > > > > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > I agree, unfortunately my role is the sysadmin for this project, not the > > developer. Im running dozens of instances using Drupal, Wordpress and > > Mediawiki all very successfully and securely without ever having to think > > about these types of security measures. Once I get through the red tape of > > being allowed to pen test my own servers, then I'll have a better idea how > > well I've done. > > > > - Trey > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos That does thanks! - Trey