Date: Sat, 25 Aug 2001 08:47:47 -0400 From: dave@hawk-systems.com (Dave) To: "Clemens Hermann" <haribeau@gmx.de>, "BSD-ISP" <freebsd-isp@FreeBSD.ORG> Subject: RE: apache jail Message-ID: <DBEIKNMKGOBGNDHAAKGNMECGIAAA.dave@hawk-systems.com> In-Reply-To: <20010825113754.A1025@homer.local>
next in thread | previous in thread | raw e-mail | index | archive | help
>how can I send each apach virtual-host into somthing like a jail? I have >several vhosts sharing one IP so the apache could not be run inside the >jails, right? >Furthermore I would like to keep things as much as possible as they are, >the only goal is to avoid, that php-scripts and thelike can access the >system (e.g access the /etc/passwd to read it etc.). > >is there any information available how to do this? This doesn't truley jail them, but restricts access by Apache for the virtual host site from reading anything that isn't owned by that user... then you just need to police your "other" bits for the rest of your server. WARNING: Recently tried this on a test system, havn't ported it yet to production or given it a serious break test. Recent versions of Apache and suexec apache compiled with suexec # set user and group to unique chown USERID:USERID /path/to/user/html/directory # no public access to any files under here that # you don't want public reading, like scripts # with database login information in them chmod -R 0750 /path/to/user/html/directory >in apache's httpd.conf # set each virtual host to run any accesses # as the group USERID giving them only access # to this directory... defeats PHP directory # and shell scripts as long as no public read bits # are set <virtual *> ServerName whatever.com Group USERID </virtual> you end up with http://test1.com and http://test2.com being unable to create PHP scripts or do listings of any other virtual user directory since they are not of the same group, but accesses to the site are made by invoking apache as that group for that session. directory tree drwxr-s--- 2 user1 user1 512 Aug 19 18:23 vtest1 drwxr-s--- 2 user2 user2 512 Aug 19 18:26 vtest2 with directory groups set in the httpd.conf for user1 in vtest1 and user2 in vtest2, neither user should be able to use PHP filesystem functions to browse the other directories as long as no public bits are set, and apache server requests still server the documents from the directories since each users directory has an Group user1 (or user2) set for his directory in the directory or virtual container, thus executing the apache requsts as the appropriate user and not the generic www user. Please feel free to point out any errors in my logic... it appears pretty solid from here and in the preliminary tests I have run... again I have not had the opportunity to really give this a hard look to determine if it only *appears* to limit each sites apache and associated script access to itself. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNMECGIAAA.dave>