Greeting brave experts,
This is a tricky question, and I'm looking for some insightful solution ideas.
I'm trying to make my web hosting situation as secure as possible. I'm running apache 2.0.39 with the prefork MPM. This problem would be trivial to solve if I ran the perchild MPM, but I can't for two reasons:
1. It doesn't function at all for me
2. there is some overhead with the perchild MPM that I want to avoid having.
So here's my situation: apache runs as user 'nobody', and thus all files it reads must be readable by 'nobody'. The problem with this is that anyone can use a simple php script to have the same access to files as the web server. Observe:
My problem with this is that it grants anyone with ftp access to a site on the server the ability to read session information and files that contain database passwords. Not to mention source code for sites that needs to be hidden.
This simply won't do, and if I could tell apache to deny all permission to files above its documentRoot (per virtual server), then my problem would be solved. Even if I could have every virtual server operate in a chroot environment, I could work with that.
If a way to do such a thing is not possible, then I could try running the perchild mpm. The problem there is that apache always crashes if I use that one.
Thank you for your time,