You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Erik van der Kouwe <er...@gmail.com> on 2011/04/24 21:19:13 UTC
[users@httpd] Configuring Apache to run as a different user for each directory
Dear all,
The short version:
I'm an Apache n00b and would like to know how to set it up to run under
different user accounts depending on the directory served.
The long version:
I would like to use Apache to set up an environment where students can
attempt to exploit vulnerable websites made for them to practice. The
idea is that there will be a virtual machine running Apache with a
number of PHP scripts with buggy validation, CGI scripts prone to buffer
overflows, sites with potential for SQL injection etc.
Ideally all websites would run on the same virtual machine and Apache
would take care of isolating the students and, for each student, each
challenge. If a student gains the ability to remotely execute code for
challenge n it should not help him/her solve challenge n+1. The
assumption is that students don't attempt to exploit the underlying
system to achieve privilege escalation, enforced by both having the
system fully patched and punishing students who do perform such hacks.
However, students should not be able to mess up anything for others
accidentally.
I think the best solution would be to have separate Linux users for each
student+challenge pair that only has access to the relevant directory. I
would then need to have Apache (and any processes created by it) run as
right user when serving one of those websites. I prefer to have them
all as subdirectories of the same site, but if necessary they can run on
different ports.
If it matters anything, Apache on my system is 2.2.16 and comes from the
Ubuntu repository (Maverick server edition).
Thanks in advance for any ideas,
Erik
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Configuring Apache to run as a different user for
each directory
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Sun, Apr 24, 2011 at 3:19 PM, Erik van der Kouwe <er...@gmail.com>wrote:
> Dear all,
>
> The short version:
>
> I'm an Apache n00b and would like to know how to set it up to run under
> different user accounts depending on the directory served.
>
This has been of the mailing list three times in the last month, but I would
not necessarily think to search for "Privilege Separation".
http://wiki.apache.org/httpd/PrivilegeSeparation
- Yehuda