httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Edwards <nick.z.edwa...@gmail.com>
Subject [users@httpd] Locking Down httpd w/virtualhosts
Date Tue, 23 Oct 2012 02:38:39 GMT
Hi,
 Is there a way to lock down httpd (2.4.3) similar to the way httpd
docs suggest using php flag for when using php module.

        php_admin_value open_basedir
"/usr/local/lib/php/:/var/www/vhost/example.com/"
        php_admin_value upload_tmp_dir /var/www/vhost/example.com/tmp/
        php_admin_value session.safe_path /var/www/vhost/example.com/tmp/


This works rather well in keeping hosts from including content outside
of the permitted dirs with php, and I would have thought that since
httpd is actually doing this, then httpd should have its own option,
for locking down users, without going the dramas of running fully
jailed sessions which has its own problems/nightmares.

I know that   "SuexecUserGroup  somehost apache" works well for what
it is designed for, but it does not stop them accessing content like
the php admin flag options do (yes I know it is mentioned it is not
foolproof and dependent on php modules, even when using suhosin), and
was hoping for a general cgi solution tha works the same, perhaps its
there and my google fu is failing me today?

If not, could this be a feature request, it can not be that much of a
resource issue as far as I can see since it already does this for php
module.
maybe  --with-suexec-docroot=/var/www  could be modified to stop upper
level traversals?
I am not a programmer so I have idea.

Maybe a docroot option could be introduced for virtualhost config
statements in httpd.conf etc?

Thoughts/Ideas?
Again full jailing is not an option for internal reasons, some
virtualhosts for company need access anywhere, it is just general
virtualhosts, or untrusted ones, that need this locking down.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message