httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
Date Sun, 03 Apr 2011 19:56:15 GMT
On 06.03.11 22:43, aaronrus@comcast.net wrote:
> I have apache2 running virtual hosts. Ive fingered out how to jail a user
> that uploads files to the document root using jailkit and only allow SFTP
> access. What I have not fingered out is how to keep a user from reading
> other files on the system such as other virtual host document roots by
> uploading a phpshell which runs under the www-data user which is not
> jailed.
> 
> I could jail the www-data account but this would not prevent one virtual
> host from seeing another using a phpshell since they would be in the same
> jail.

> what I think I need to do is run each virtural host under a different user
> account so I can jail each separate. How would I set this up? can virtual
> hosts be run with different user accounts?

I think that they can by using peruser MPM but I think it's only scalable to
a few hundreds/thousands of accounts.

> The reasoning behind this is I want to protect the PHP scripts from being
> viewed.

run PHP as module and configure directives like open_basedir and doc_root.

for CGI, you can configure all www directories to have 0750 permissions (write
for owner, read for group) and run apache under user nobody but the group
you give to all directories. Note that ordinary users must not belong to the
group.

Running under suexec, run scripts under the userid and group that doesn't
have permission to read those directories.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message