[CentOS] Running Apache sites as separate users

Fri Sep 30 20:58:46 UTC 2011
Trey Dockendorf <treydock at gmail.com>

On Sep 30, 2011 1:49 PM, "Michael Crilly" <mrcrilly at gmail.com> wrote:
>
> I'm not sure why you would want each website on its own Apache process (as
> that just isn't needed), but some of the ideas here are a bit...
> over-the-top.
>
> There are a few options of improving the security of your Apache setup.
You
> can use something like FastCGI based PHP applications or suPHP; both
FastCGI
> and suPHP will enable Apache to drop down to a lower privileged user when
> accessing a website. This basically eliminates the chance that one website
> being hacked means all your websites being hacked. The reason for this is
> because the ownership of each website will be the user who owns the
website.
> So in an example example1.com would be owned by example_user_1 and as
such,
> the ownership of the files would be something like:
> example_user_1:example_user_1 and rw-r--r--.
>
> You don't really need to go beyond this to "secure" each site.
>
> I hope this helps.
>
> On 30 September 2011 19:15, Trey Dockendorf <treydock at gmail.com> wrote:
>
> > On Sep 30, 2011 11:43 AM, "John R Pierce" <pierce at hogranch.com> wrote:
> > >
> > > On 09/30/11 9:26 AM, Trey Dockendorf wrote:
> > > > However they also
> > > > want to have the CMS write to the .htaccess files to dynamically
> > control
> > > > which users can access the dowloads portion of the sites.  That Im
> > strongly
> > > > against.
> > >
> > > CMS systems almost always use their own authentication and downloading
> > > mechanisms, they don't rely on .htaccess for anything other than
> > > possibily configuring whatever specific apache settings they need
> > > (cgi-bin, etc)
> > >
> > > --
> > > john r pierce                            N 37, W 122
> > > santa cruz ca                         mid-left coast
> > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> >
> > I agree, unfortunately my role is the sysadmin for this project, not the
> > developer.  Im running dozens of instances using Drupal, Wordpress and
> > Mediawiki all very successfully and securely without ever having to
think
> > about these types of security measures.  Once I get through the red tape
of
> > being allowed to pen test my own servers, then I'll have a better idea
how
> > well I've done.
> >
> > - Trey
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

That does thanks!

- Trey