Return-Path: 
 <users-return-99719-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A7A521A06
	for <apmail-httpd-users-archive@www.apache.org>;
 Sun, 24 Apr 2011 19:19:47 +0000 (UTC)
Received: (qmail 17194 invoked by uid 500); 24 Apr 2011 19:19:44 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 17145 invoked by uid 500); 24 Apr 2011 19:19:43 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 17137 invoked by uid 99); 24 Apr 2011 19:19:43 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Apr 2011 19:19:43 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of erikvdk@gmail.com designates
 209.85.215.45 as permitted sender)
Received: from [209.85.215.45] (HELO mail-ew0-f45.google.com) (209.85.215.45)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Apr 2011 19:19:35 +0000
Received: by ewy24 with SMTP id 24so990125ewy.18
        for <users@httpd.apache.org>; Sun, 24 Apr 2011 12:19:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:message-id:date:from:user-agent:mime-version:to
         :subject:content-type:content-transfer-encoding;
        bh=6qBzXttpJ61CiKO0t9J1/N8B4uCfaEVTOVhVs3/vnLE=;
        b=NdVFzqkwET7fZckee+ipgrpQSxQGYzASt5B5HppfGR5UNUmg1lbaOetwps2gwv6iGF
         +RCwlBZHJnOyOxfQdPJttDVmuZ7i6IjAKZkDZtER+p8smFIQZ96HzckHjGEUgOxICT7B
         GJByZnH0l6hnMC4NiPZNm78l6cvq/W7GiE/c4=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:subject
         :content-type:content-transfer-encoding;
        b=iLccQgef47TsfsQlcmje1vg1OixYzU5THSIPUV2L6T+qdT3CUNZUS/Vw1YmTAbaTPF
         R9W2FY84zb5KJus3l67RgX3wAXjClkEpuO5uvH7InOiT8QnwSBDVsVQtsnl6ZxDvF3ZN
         g0SyM0pQE/LHmi+hmOTStBp8tQS8rskU1TuWE=
Received: by 10.14.43.202 with SMTP id l50mr1040754eeb.189.1303672754498;
        Sun, 24 Apr 2011 12:19:14 -0700 (PDT)
Received: from [192.168.1.7] (ip17-241-210-87.adsl2.static.versatel.nl
 [87.210.241.17])
        by mx.google.com with ESMTPS id s50sm2130350eeh.22.2011.04.24.12.19.12
        (version=SSLv3 cipher=OTHER);
        Sun, 24 Apr 2011 12:19:13 -0700 (PDT)
Message-ID: <4DB477B1.40708@gmail.com>
Date: Sun, 24 Apr 2011 21:19:13 +0200
From: Erik van der Kouwe <erikvdk@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; nl;
 rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: users@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [users@httpd] Configuring Apache to run as a different user for each
 directory

Dear all,

The short version:

I'm an Apache n00b and would like to know how to set it up to run under 
different user accounts depending on the directory served.


The long version:

I would like to use Apache to set up an environment where students can 
attempt to exploit vulnerable websites made for them to practice. The 
idea is that there will be a virtual machine running Apache with a 
number of PHP scripts with buggy validation, CGI scripts prone to buffer 
overflows, sites with potential for SQL injection etc.

Ideally all websites would run on the same virtual machine and Apache 
would take care of isolating the students and, for each student, each 
challenge. If a student gains the ability to remotely execute code for 
challenge n it should not help him/her solve challenge n+1. The 
assumption is that students don't attempt to exploit the underlying 
system to achieve privilege escalation, enforced by both having the 
system fully patched and punishing students who do perform such hacks. 
However, students should not be able to mess up anything for others 
accidentally.

I think the best solution would be to have separate Linux users for each 
student+challenge pair that only has access to the relevant directory. I 
would then need to have Apache (and any processes created by it) run as 
right user when serving one of those websites. I prefer  to have them 
all as subdirectories of the same site, but if necessary they can run on 
different ports.

If it matters anything, Apache on my system is 2.2.16 and comes from the 
Ubuntu repository (Maverick server edition).

Thanks in advance for any ideas,
Erik

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org