On March 6, 2011 17:43 , aaronrus@xxxxxxxxxxx wrote:
I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed.
Other people will hopefully have more and/or better suggestions, but here are mine:
- Use FastCGI to run code for each virtual host as a user specific to that virtual host. For example, if you have several virtual hosts running PHP code, you could set up a separate instance of php-fpm for each one. See http://us3.php.net/manual/en/install.fpm.php If you go this route, try it with mod_fastcgi on the httpd end of things first -- you'd need to use set-uid wrapper scripts if you used mod_fcgid, and php-fpm currently lacks support for mod_proxy_fcgi.
Alternatively:- If you are running on a system that has SELinux, haven't disabled it, and are running Apache HTTP Server under it, then Apache/SELinux plus will hopefully give you what you want. See http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus
If nothing else works:- Run a separate instance of httpd for each virtual host, each with it's own httpd.conf and each running as a separate user on a unique port (not port 80). Configure these instances to only talk to a reverse proxy that sits in front of them and listens on port 80.
I hope this helps. -- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|