httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
Date Sun, 06 Mar 2011 23:11:58 GMT
  On March 6, 2011 17:43 , wrote:
> I have apache2 running virtual hosts. Ive fingered out how to jail a 
> user that uploads files to the document root using jailkit and only 
> allow SFTP access. What I have not fingered out is how to keep a user 
> from reading other files on the system such as other virtual host 
> document roots by uploading a phpshell which runs under the www-data 
> user which is not jailed.

Other people will hopefully have more and/or better suggestions, but 
here are mine:

- Use FastCGI to run code for each virtual host as a user specific to 
that virtual host.  For example, if you have several virtual hosts 
running PHP code, you could set up a separate instance of php-fpm for 
each one.  See   If you go 
this route, try it with mod_fastcgi on the httpd end of things first -- 
you'd need to use set-uid wrapper scripts if you used mod_fcgid, and 
php-fpm currently lacks support for mod_proxy_fcgi.


- If you are running on a system that has SELinux, haven't disabled it, 
and are running Apache HTTP Server under it, then Apache/SELinux plus 
will hopefully give you what you want.  See

If nothing else works:

- Run a separate instance of httpd for each virtual host, each with it's 
own httpd.conf and each running as a separate user on a unique port (not 
port 80).  Configure these instances to only talk to a reverse proxy 
that sits in front of them and listens on port 80.

I hope this helps.

   Mark Montague

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message