httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
Date Sun, 06 Mar 2011 23:11:58 GMT
  On March 6, 2011 17:43 , aaronrus@comcast.net wrote:
> I have apache2 running virtual hosts. Ive fingered out how to jail a 
> user that uploads files to the document root using jailkit and only 
> allow SFTP access. What I have not fingered out is how to keep a user 
> from reading other files on the system such as other virtual host 
> document roots by uploading a phpshell which runs under the www-data 
> user which is not jailed.

Other people will hopefully have more and/or better suggestions, but 
here are mine:

- Use FastCGI to run code for each virtual host as a user specific to 
that virtual host.  For example, if you have several virtual hosts 
running PHP code, you could set up a separate instance of php-fpm for 
each one.  See http://us3.php.net/manual/en/install.fpm.php   If you go 
this route, try it with mod_fastcgi on the httpd end of things first -- 
you'd need to use set-uid wrapper scripts if you used mod_fcgid, and 
php-fpm currently lacks support for mod_proxy_fcgi.

Alternatively:

- If you are running on a system that has SELinux, haven't disabled it, 
and are running Apache HTTP Server under it, then Apache/SELinux plus 
will hopefully give you what you want.  See 
http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus

If nothing else works:

- Run a separate instance of httpd for each virtual host, each with it's 
own httpd.conf and each running as a separate user on a unique port (not 
port 80).  Configure these instances to only talk to a reverse proxy 
that sits in front of them and listens on port 80.

I hope this helps.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message