On Apr 8, 2005 6:55 PM, dan <info@xxxxxxxxxxxxxxxx> wrote: > Hello, all - > > Doing some research into tightening security down on Apache for > untrusted users, I've come up with a few questions. > > Apache's suEXEC functions look pretty neat. But it sounds as if this > only protects executables (hence the name, suEXEC), and not the actual > child processes that Apache starts. This is fine, but not exactly what > I'm looking for. > > Ultimately, I'd like to have each VirtualHost run as a seperate user, > and then from there I can restrict access based on user privileges, > rather than doing this through Apache. > > There's also the jail, but for this situation, wouldn't quite work for a > number of reasons. > > If there's anything remotely close to what I'm thinking about, can > someone please bounce back a message to the list and tell me a bit about > it? If I'm wrong about how suEXEC works, can you please correct me on > that, as well? Would you mind giving some details as to how you would > secure Apache for hosting for untrusted users? This is actually a very hard problem because of the basic nature of unix security. See, for example, the discussion of this topic here: http://mail-archives.eu.apache.org/mod_mbox/httpd-users/200311.mbox/%3cPine.WNT.4.58.0311021536350.1528@bronfman504%3e The closest you will come is 1. The "metux mpm", which I've never used. I'm not sure how well it works. 2. Setting up a bunch of different apache installs on different ports with different users and put a reverse proxy in front of them. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|