Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 78523 invoked from network); 9 Apr 2005 02:02:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 9 Apr 2005 02:02:06 -0000 Received: (qmail 12106 invoked by uid 500); 9 Apr 2005 02:01:57 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 11209 invoked by uid 500); 9 Apr 2005 02:01:55 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 11188 invoked by uid 99); 9 Apr 2005 02:01:54 -0000 X-ASF-Spam-Status: No, hits=0.4 required=10.0 tests=DNS_FROM_RFC_ABUSE,RCVD_BY_IP,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: domain of jslive@gmail.com designates 64.233.184.198 as permitted sender) Received: from wproxy.gmail.com (HELO wproxy.gmail.com) (64.233.184.198) by apache.org (qpsmtpd/0.28) with ESMTP; Fri, 08 Apr 2005 19:01:53 -0700 Received: by wproxy.gmail.com with SMTP id 67so2152607wri for ; Fri, 08 Apr 2005 19:01:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=bSKtmcSL7I9xfjkwQfaZJOyNjmlp0dDvx8qW2uEys/7G2T4GGWmx2Mpe357J3PS6UGelOhgmFK6uIay1k6c5EE3XPwDsgLSgShBGvgK/sFxDGELWmXI/MNFI/7KwRdDjBh6oC6X9SwRF0+3zQj+agt01NIy0VaG1mPfeMzZhZak= Received: by 10.54.14.44 with SMTP id 44mr297310wrn; Fri, 08 Apr 2005 19:01:51 -0700 (PDT) Received: by 10.54.62.11 with HTTP; Fri, 8 Apr 2005 19:01:51 -0700 (PDT) Message-ID: Date: Fri, 8 Apr 2005 22:01:51 -0400 From: Joshua Slive Reply-To: Joshua Slive To: users@httpd.apache.org, info@hostinthebox.net In-Reply-To: <42570BDA.6090309@hostinthebox.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <42570BDA.6090309@hostinthebox.net> X-Virus-Checked: Checked Subject: Re: [users@httpd] Apache Security X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On Apr 8, 2005 6:55 PM, dan wrote: > Hello, all - > > Doing some research into tightening security down on Apache for > untrusted users, I've come up with a few questions. > > Apache's suEXEC functions look pretty neat. But it sounds as if this > only protects executables (hence the name, suEXEC), and not the actual > child processes that Apache starts. This is fine, but not exactly what > I'm looking for. > > Ultimately, I'd like to have each VirtualHost run as a seperate user, > and then from there I can restrict access based on user privileges, > rather than doing this through Apache. > > There's also the jail, but for this situation, wouldn't quite work for a > number of reasons. > > If there's anything remotely close to what I'm thinking about, can > someone please bounce back a message to the list and tell me a bit about > it? If I'm wrong about how suEXEC works, can you please correct me on > that, as well? Would you mind giving some details as to how you would > secure Apache for hosting for untrusted users? This is actually a very hard problem because of the basic nature of unix security. See, for example, the discussion of this topic here: http://mail-archives.eu.apache.org/mod_mbox/httpd-users/200311.mbox/%3cPine.WNT.4.58.0311021536350.1528@bronfman504%3e The closest you will come is 1. The "metux mpm", which I've never used. I'm not sure how well it works. 2. Setting up a bunch of different apache installs on different ports with different users and put a reverse proxy in front of them. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org