Lars Hansson wrote:
Toni Mueller wrote:
To me, this currently comes down to using unique user and group ids for
individual web site instances, and then chroot each server into their
respective tree where the requirement for reading other people's data
is to break out of the chroot first.
This can be done with the default chroot as long as you dont allow your
users to run any cgi's. Just make each vhosts docroot be owned by the
user and readable by the www group and you're set.
If you're hosting PHP sites you also need to remember to set (and
enforce) open_basedir for the vhosts.
---
Lars Hansson
We dealt with this another way. We create a separate instance of httpd
for every user, and let httpd run under that user. Each instance is on a
different port number bound to 127.0.0.1. To tie it all together we use
a reverse proxy (pound) and enable virtual hosting in the proxy to
redirect vhosts to the right apache instance.
- Re: apache security RedShift
-
