Re: Running Apache sites as separate users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I'm not sure why you would want each website on its own Apache process (as
that just isn't needed), but some of the ideas here are a bit...
over-the-top.

There are a few options of improving the security of your Apache setup. You
can use something like FastCGI based PHP applications or suPHP; both FastCGI
and suPHP will enable Apache to drop down to a lower privileged user when
accessing a website. This basically eliminates the chance that one website
being hacked means all your websites being hacked. The reason for this is
because the ownership of each website will be the user who owns the website.
So in an example example1.com would be owned by example_user_1 and as such,
the ownership of the files would be something like:
example_user_1:example_user_1 and rw-r--r--.

You don't really need to go beyond this to "secure" each site.

I hope this helps.

On 30 September 2011 19:15, Trey Dockendorf <treydock@xxxxxxxxx> wrote:

> On Sep 30, 2011 11:43 AM, "John R Pierce" <pierce@xxxxxxxxxxxx> wrote:
> >
> > On 09/30/11 9:26 AM, Trey Dockendorf wrote:
> > > However they also
> > > want to have the CMS write to the .htaccess files to dynamically
> control
> > > which users can access the dowloads portion of the sites.  That Im
> strongly
> > > against.
> >
> > CMS systems almost always use their own authentication and downloading
> > mechanisms, they don't rely on .htaccess for anything other than
> > possibily configuring whatever specific apache settings they need
> > (cgi-bin, etc)
> >
> > --
> > john r pierce                            N 37, W 122
> > santa cruz ca                         mid-left coast
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > http://lists.centos.org/mailman/listinfo/centos
>
> I agree, unfortunately my role is the sysadmin for this project, not the
> developer.  Im running dozens of instances using Drupal, Wordpress and
> Mediawiki all very successfully and securely without ever having to think
> about these types of security measures.  Once I get through the red tape of
> being allowed to pen test my own servers, then I'll have a better idea how
> well I've done.
>
> - Trey
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux