Dear all, The short version:I'm an Apache n00b and would like to know how to set it up to run under different user accounts depending on the directory served.
The long version:I would like to use Apache to set up an environment where students can attempt to exploit vulnerable websites made for them to practice. The idea is that there will be a virtual machine running Apache with a number of PHP scripts with buggy validation, CGI scripts prone to buffer overflows, sites with potential for SQL injection etc.
Ideally all websites would run on the same virtual machine and Apache would take care of isolating the students and, for each student, each challenge. If a student gains the ability to remotely execute code for challenge n it should not help him/her solve challenge n+1. The assumption is that students don't attempt to exploit the underlying system to achieve privilege escalation, enforced by both having the system fully patched and punishing students who do perform such hacks. However, students should not be able to mess up anything for others accidentally.
I think the best solution would be to have separate Linux users for each student+challenge pair that only has access to the relevant directory. I would then need to have Apache (and any processes created by it) run as right user when serving one of those websites. I prefer to have them all as subdirectories of the same site, but if necessary they can run on different ports.
If it matters anything, Apache on my system is 2.2.16 and comes from the Ubuntu repository (Maverick server edition).
Thanks in advance for any ideas, Erik --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx