You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by aa...@comcast.net on 2011/03/06 23:43:36 UTC
[users@httpd] How do I keep Virtural hosts from seeing the others document root?
I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed.
I could jail the www-data account but this would not prevent one virtual host from seeing another using a phpshell since they would be in the same jail.
what I think I need to do is run each virtural host under a different user account so I can jail each separate. How would I set this up? can virtual hosts be run with different user accounts?
The reasoning behind this is I want to protect the PHP scripts from being viewed.
Any suggestions or ideals if so send me some links to point me in the right direction.
Thanks
Aaron
Re: [users@httpd] How do I keep Virtural hosts from seeing the others
document root?
Posted by "J. Greenlees" <li...@jaqui-greenlees.net>.
Jim Walls wrote:
~snip~
>
> Did I just answer the question or am I completely missing the question?
>
>
and with no ftp server installed you can point a web bowser to
ftp://xyz.com and httpd will allow ftp protocol read access.
to stop that you need to do as earlier posters described.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the others
document root?
Posted by Jim Walls <ji...@k6ccc.org>.
On 3/6/2011 2:43 PM, aaronrus@comcast.net wrote:
> I have apache2 running virtual hosts. Ive fingered out how to jail a
> user that uploads files to the document root using jailkit and only
> allow SFTP access. What I have not fingered out is how to keep a user
> from reading other files on the system such as other virtual host
> document roots by uploading a phpshell which runs under the www-data
> user which is not jailed.
Maybe I'm not understanding the problem. As I understand it, you dont
want a user that has ftp access to one of your virtual hosts to be able
to have read access to another of the virtual hosts. What's the
problem? As I understand the question, this has everything to do with
the security and setup of your ftp server and nothing to do with
apache. I have this very easily. I use Bulletproof FTP server and I
can easily allow a user ID whatever access and to whatever directories I
want. The two virtual servers have completely different document
roots. Let me give an example:
I have a virtual server that is xyz.org with a root of C:\Program
Files\Apache Group\Apache2\htdocs\xyz.org
I have a second virtual server that is abc.info with a root of
C:\Program Files\Apache Group\Apache2\htdocs\abc.info
In my ftp server, the user IDs that are there for access to xyz.org have
no access above C:\Program Files\Apache Group\Apache2\htdocs\xyz.org and
the user IDs that are there for access to abc.info have no access above
C:\Program Files\Apache Group\Apache2\htdocs\abc.info
Did I just answer the question or am I completely missing the question?
--
73
-------------------------------------
Jim Walls - K6CCC
jim@k6ccc.org
Ofc: 818-548-4804
http://members.dslextreme.com/users/k6ccc/
AMSAT Member 32537 - WSWSS Member 395
Re: [users@httpd] How do I keep Virtural hosts from seeing the others
document root?
Posted by Mark Montague <ma...@catseye.org>.
On March 6, 2011 17:43 , aaronrus@comcast.net wrote:
> I have apache2 running virtual hosts. Ive fingered out how to jail a
> user that uploads files to the document root using jailkit and only
> allow SFTP access. What I have not fingered out is how to keep a user
> from reading other files on the system such as other virtual host
> document roots by uploading a phpshell which runs under the www-data
> user which is not jailed.
Other people will hopefully have more and/or better suggestions, but
here are mine:
- Use FastCGI to run code for each virtual host as a user specific to
that virtual host. For example, if you have several virtual hosts
running PHP code, you could set up a separate instance of php-fpm for
each one. See http://us3.php.net/manual/en/install.fpm.php If you go
this route, try it with mod_fastcgi on the httpd end of things first --
you'd need to use set-uid wrapper scripts if you used mod_fcgid, and
php-fpm currently lacks support for mod_proxy_fcgi.
Alternatively:
- If you are running on a system that has SELinux, haven't disabled it,
and are running Apache HTTP Server under it, then Apache/SELinux plus
will hopefully give you what you want. See
http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus
If nothing else works:
- Run a separate instance of httpd for each virtual host, each with it's
own httpd.conf and each running as a separate user on a unique port (not
port 80). Configure these instances to only talk to a reverse proxy
that sits in front of them and listens on port 80.
I hope this helps.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the
others document root?
Posted by Nick Kew <ni...@webthing.com>.
On Sun, 6 Mar 2011 22:43:36 +0000 (UTC)
aaronrus@comcast.net wrote:
> I could jail the www-data account but this would not prevent one virtual host from seeing another using a phpshell since they would be in the same jail.
Yep. Virtualhosts aren't designed for that level of security.
You forgot to tell us what platform you're on. You have one
suggestion based on FastCGI, and one I've never heard of based
on selinux. Two simpler alternatives are CGI with suexec
(which is cross-platform) or mod_privileges (for Solaris).
--
Nick Kew
Available for work, contract or permanent.
http://www.webthing.com/~nick/cv.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the
others document root?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 06.03.11 22:43, aaronrus@comcast.net wrote:
> I have apache2 running virtual hosts. Ive fingered out how to jail a user
> that uploads files to the document root using jailkit and only allow SFTP
> access. What I have not fingered out is how to keep a user from reading
> other files on the system such as other virtual host document roots by
> uploading a phpshell which runs under the www-data user which is not
> jailed.
>
> I could jail the www-data account but this would not prevent one virtual
> host from seeing another using a phpshell since they would be in the same
> jail.
> what I think I need to do is run each virtural host under a different user
> account so I can jail each separate. How would I set this up? can virtual
> hosts be run with different user accounts?
I think that they can by using peruser MPM but I think it's only scalable to
a few hundreds/thousands of accounts.
> The reasoning behind this is I want to protect the PHP scripts from being
> viewed.
run PHP as module and configure directives like open_basedir and doc_root.
for CGI, you can configure all www directories to have 0750 permissions (write
for owner, read for group) and run apache under user nobody but the group
you give to all directories. Note that ordinary users must not belong to the
group.
Running under suexec, run scripts under the userid and group that doesn't
have permission to read those directories.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson. -- Daffy Duck & Porky Pig
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org