troubleshooting Question

Restricting web server's access to files to DocumentRoot with PHP

Avatar of ini_7
ini_7 asked on
Apache Web Server
8 Comments1 Solution317 ViewsLast Modified:
Greeting brave experts,

This is a tricky question, and I'm looking for some insightful solution ideas.

I'm trying to make my web hosting situation as secure as possible. I'm running apache 2.0.39 with the prefork MPM. This problem would be trivial to solve if I ran the perchild MPM, but I can't for two reasons:
1. It doesn't function at all for me
2. there is some overhead with the perchild MPM that I want to avoid having.

So here's my situation: apache runs as user 'nobody', and thus all files it reads must be readable by 'nobody'. The problem with this is that anyone can use a simple php script to have the same access to files as the web server. Observe:
<?
readfile('/some/file');
?>

My problem with this is that it grants anyone with ftp access to a site on the server the ability to read session information and files that contain database passwords. Not to mention source code for sites that needs to be hidden.

This simply won't do, and if I could tell apache to deny all permission to files above its documentRoot (per virtual server), then my problem would be solved. Even if I could have every virtual server operate in a chroot environment, I could work with that.

If a way to do such a thing is not possible, then I could try running the perchild mpm. The problem there is that apache always crashes if I use that one.

Thank you for your time,
- Travis
ASKER CERTIFIED SOLUTION
rycamor

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros