sindrit
asked on
VirtualHost per user, security problem?
Here is my problem. I´m using Apache 2.0 on Fedora 2.
I have a server with one httpd running with a few virtual hosts, each "owned" by a different user. But for apache to have access to /home/bob/example.com bob has to have all his stuff set to read access for everyone, including mal. Mal will ofcourse use this to fetch Bob´s database passwords from the php code in example.com and etc...
How can I set up permissions in Linux to allow apache access to both /home/mal/example.net and /home/bob/example.com but not allow mal to access bob and vice versa?
PS. This is what is in httpd.conf:
<VirtualHost *:80>
ServerAdmin mal@example.net
DocumentRoot /home/mal/example.net
ServerName example.net
...
</VirtualHost>
<VirtualHost *:80>
ServerAdmin bob@example..com
DocumentRoot /home/bob/example.com
ServerName example.com
...
</VirtualHost>
I have a server with one httpd running with a few virtual hosts, each "owned" by a different user. But for apache to have access to /home/bob/example.com bob has to have all his stuff set to read access for everyone, including mal. Mal will ofcourse use this to fetch Bob´s database passwords from the php code in example.com and etc...
How can I set up permissions in Linux to allow apache access to both /home/mal/example.net and /home/bob/example.com but not allow mal to access bob and vice versa?
PS. This is what is in httpd.conf:
<VirtualHost *:80>
ServerAdmin mal@example.net
DocumentRoot /home/mal/example.net
ServerName example.net
...
</VirtualHost>
<VirtualHost *:80>
ServerAdmin bob@example..com
DocumentRoot /home/bob/example.com
ServerName example.com
...
</VirtualHost>
If you are running PHP either use phpsuexec http://www.suphp.org/Home.html or restrict for those virtual host the base_dir See http://de3.php.net/manual/en/features.safe-mode.php#ini.open-basedir
ASKER
To clarify what the problem is. Both mal and bob have terminal access to the server, allowing them to manage their domains themselves. So I want to deny mal read access to /home/bob but allow apache to read it.
The last comment only stops mal from using php to gain access to bob through apache.
This question quite possibly belongs in the Linux topic rather than here.
The last comment only stops mal from using php to gain access to bob through apache.
This question quite possibly belongs in the Linux topic rather than here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I changed my setup considerably.
now ls -la /home shows:
drwxr-x--- 63 bob bob 4456 2005-01-28 17:16 bob
drwxr-x--- 6 mal mal 704 2004-09-07 08:56 mal
but i created a new directory containing the websites:
# ls -la /www
drwxr-xr-x 4 apache apache 4096 Jan 28 17:58 .
drwxr-xr-x 22 root root 4096 Jan 28 17:58 ..
drwxr-x--- 2 mal apache 4096 Jan 28 17:58 example.net
drwxr-x--- 2 bob apache 4096 Jan 28 17:58 example.com
then i put symbolic links into the homedirectories to the website directories. Apache is running as apache:apache obviously.
Thanks for the help.
now ls -la /home shows:
drwxr-x--- 63 bob bob 4456 2005-01-28 17:16 bob
drwxr-x--- 6 mal mal 704 2004-09-07 08:56 mal
but i created a new directory containing the websites:
# ls -la /www
drwxr-xr-x 4 apache apache 4096 Jan 28 17:58 .
drwxr-xr-x 22 root root 4096 Jan 28 17:58 ..
drwxr-x--- 2 mal apache 4096 Jan 28 17:58 example.net
drwxr-x--- 2 bob apache 4096 Jan 28 17:58 example.com
then i put symbolic links into the homedirectories to the website directories. Apache is running as apache:apache obviously.
Thanks for the help.