httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik van der Kouwe <>
Subject [users@httpd] Configuring Apache to run as a different user for each directory
Date Sun, 24 Apr 2011 19:19:13 GMT
Dear all,

The short version:

I'm an Apache n00b and would like to know how to set it up to run under 
different user accounts depending on the directory served.

The long version:

I would like to use Apache to set up an environment where students can 
attempt to exploit vulnerable websites made for them to practice. The 
idea is that there will be a virtual machine running Apache with a 
number of PHP scripts with buggy validation, CGI scripts prone to buffer 
overflows, sites with potential for SQL injection etc.

Ideally all websites would run on the same virtual machine and Apache 
would take care of isolating the students and, for each student, each 
challenge. If a student gains the ability to remotely execute code for 
challenge n it should not help him/her solve challenge n+1. The 
assumption is that students don't attempt to exploit the underlying 
system to achieve privilege escalation, enforced by both having the 
system fully patched and punishing students who do perform such hacks. 
However, students should not be able to mess up anything for others 

I think the best solution would be to have separate Linux users for each 
student+challenge pair that only has access to the relevant directory. I 
would then need to have Apache (and any processes created by it) run as 
right user when serving one of those websites. I prefer  to have them 
all as subdirectories of the same site, but if necessary they can run on 
different ports.

If it matters anything, Apache on my system is 2.2.16 and comes from the 
Ubuntu repository (Maverick server edition).

Thanks in advance for any ideas,

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message