httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] Apache Security
Date Sat, 09 Apr 2005 02:01:51 GMT
On Apr 8, 2005 6:55 PM, dan <info@hostinthebox.net> wrote:
> Hello, all -
> 
> Doing some research into tightening security down on Apache for
> untrusted users, I've come up with a few questions.
> 
> Apache's suEXEC functions look pretty neat.  But it sounds as if this
> only protects executables (hence the name, suEXEC), and not the actual
> child processes that Apache starts.  This is fine, but not exactly what
> I'm looking for.
> 
> Ultimately, I'd like to have each VirtualHost run as a seperate user,
> and then from there I can restrict access based on user privileges,
> rather than doing this through Apache.
> 
> There's also the jail, but for this situation, wouldn't quite work for a
> number of reasons.
> 
> If there's anything remotely close to what I'm thinking about, can
> someone please bounce back a message to the list and tell me a bit about
> it?  If I'm wrong about how suEXEC works, can you please correct me on
> that, as well?  Would you mind giving some details as to how you would
> secure Apache for hosting for untrusted users?

This is actually a very hard problem because of the basic nature of
unix security.  See, for example, the discussion of this topic here:
http://mail-archives.eu.apache.org/mod_mbox/httpd-users/200311.mbox/%3cPine.WNT.4.58.0311021536350.1528@bronfman504%3e

The closest you will come is
1. The "metux mpm", which I've never used.  I'm not sure how well it works.
2. Setting up a bunch of different apache installs on different ports
with different users and put a reverse proxy in front of them.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message