PHP virtual host security

So.. like many other linoders i resell some of my space/bandwith to friends/clients in the form of web/email hosting.

I recently came to relaise that since all files for the www side of virtual hosting are stored under the same user id that i could potentially have a security risk on my hands.. And sure enough after doing some basic testing i did.

basicly via php, my virtual users could include/echo/dowhatever other virtual users files.. This obviously presents a massive secuirty risk, which i have since downgraded slightly by including in everyones virtualhost delcaration "phpadmin phpadminvalue openbasedir /home/hosting/domain.com/www" which makes php restrict access to the domain.

But it got me thinking a long the lines of obviously there is more to this that i havnt thought of.

Is there an easy way to chroot each virtualhost to itself? I dont particularly want to have another instance of apache per virtualhost either.. But surely there has to be some easy way to secure apache's virtual hosts in this mannor?

Has anyone else come accross this problem and what typically was the way you decided to overcome this?

Thanks!

4 Replies

The only thing I can think of is PHPsuexec, which is explained pretty well here. I'm not sure how to enable it though.

unfortunatly phpsuexec isnt going to help me.

Since this is virtual hosting, and all my users are virtual. they have the same UID. that is of the user WebHostingUser (5500). So running phpsuexec isnt going to stop the problem of the users being able to access the same files.

I need a non specific php way of doing it, as there is going to be tomcat(jsp) and propably perl or something simular which is going to mean i need a solution outside of the individual language.

As a last resource, i will run apache and tomcat in a chroot enviroment, and allocate a block of user ids to each of my virtual hosting accounts. Then with the help of solutions like phpsuexec i will restrict it in that..

Truth be told i was just looking for a slightly simpler solution :)

Check these out:
* PHP Security

Caveat: I only read them, I didn't actually try them - I'm the only user on my Linode. YMMV.

Please look at the mod_diffprivs. It allows to have unique uid/gid for each virtual host. But you must configure apache to close his child every time after request.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct