Re: Apache User Isolation/Perchild, or PHP "chroot"?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Wed, 2 May 2007, Barry Brimer wrote:


Quoting Paul Heinlein <heinlein@xxxxxxxxxx>:


On Wed, 2 May 2007, Dan Mensom wrote:
Has anyone set up any form of apache user isolation on CentOS? I have multiple virtual hosts on my machine, run by users who do not trust eachother. The problem is that any php script run by apache is able to do things like raw file io on other users' .htpasswds, php scripts, hidden directory listings, and so on. Database passwords can even be divulged in this way, since they are often stored in .php scripts, which can be read "in the raw" as files by other php scripts.
What is the easiest method for dealing with this? I found http://webauth.stanford.edu/manual/mod/perchild.html but it does not seem to be compiled with the CentOS 5 apache, and I've read elsewhere that php has issues with mutlithreaded apache. Is there any easy way to isolate individual users, by either having apache setuid, or chrooting php scripts, or (ugh) a clean way to run a new apache copy for each vhost? 

One "using a canon to kill a fly" approach would be

  * each vhost runs Apache under a vhost-specific uid/gid and
    bound only to the loopback interface on a port you
    assign, e.g.,

    vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001
    vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002

  * the main apache does little but reverse proxy all the
    vhosts out to the Internet.

    <VirtualHost *:80>
      ServerName vhost01.domain
      ProxyRequests Off
      ProxyPass / http://localhost:6001/
      ProxyPassReverse / http://localhost:6001/
      <Proxy *>
        Order deny,allow
        Allow from all
      </Proxy>
    </VirtualHost>
Given the right file permissions, no vhost would have access to another except via HTTP.
Downside: You're essentially doubling the number of Apache processes on your system. Another Upside: Configuration blunders in the vhosts won't throw errors in your main server process.
I had previously considered this, but never went anywhere with it. Would you also need something like mod_proxy_html to rewrite HTML on the fly, or would that not be required in this case?
At a minimum, you'd need mod_proxy and mod_proxy_http. Other modules might be required to tunnel SSL or whatever. 

--
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux