PHP virtual host security
I recently came to relaise that since all files for the www side of virtual hosting are stored under the same user id that i could potentially have a security risk on my hands.. And sure enough after doing some basic testing i did.
basicly via php, my virtual users could include/echo/dowhatever other virtual users files.. This obviously presents a massive secuirty risk, which i have since downgraded slightly by including in everyones virtualhost delcaration "phpadmin phpadminvalue openbasedir /home/hosting/domain.com/www" which makes php restrict access to the domain.
But it got me thinking a long the lines of obviously there is more to this that i havnt thought of.
Is there an easy way to chroot each virtualhost to itself? I dont particularly want to have another instance of apache per virtualhost either.. But surely there has to be some easy way to secure apache's virtual hosts in this mannor?
Has anyone else come accross this problem and what typically was the way you decided to overcome this?
Thanks!
4 Replies
here
Since this is virtual hosting, and all my users are virtual. they have the same UID. that is of the user WebHostingUser (5500). So running phpsuexec isnt going to stop the problem of the users being able to access the same files.
I need a non specific php way of doing it, as there is going to be tomcat(jsp) and propably perl or something simular which is going to mean i need a solution outside of the individual language.
As a last resource, i will run apache and tomcat in a chroot enviroment, and allocate a block of user ids to each of my virtual hosting accounts. Then with the help of solutions like phpsuexec i will restrict it in that..
Truth be told i was just looking for a slightly simpler solution
They both look simpler than your plan B. I think I would favour the second of the two.Apache + Chroot + FastCGI + PHP FAQ
Caveat: I only read them, I didn't actually try them - I'm the only user on my Linode. YMMV.
mod_diffprivs