On March 6, 2011 17:43 , aaron...@comcast.net wrote:
I have apache2 running virtual hosts. Ive fingered out how to jail a
user that uploads files to the document root using jailkit and only
allow SFTP access. What I have not fingered out is how to keep a user
from reading other files on the system such as other virtual host
document roots by uploading a phpshell which runs under the www-data
user which is not jailed.
Other people will hopefully have more and/or better suggestions, but
here are mine:
- Use FastCGI to run code for each virtual host as a user specific to
that virtual host. For example, if you have several virtual hosts
running PHP code, you could set up a separate instance of php-fpm for
each one. See http://us3.php.net/manual/en/install.fpm.php If you go
this route, try it with mod_fastcgi on the httpd end of things first --
you'd need to use set-uid wrapper scripts if you used mod_fcgid, and
php-fpm currently lacks support for mod_proxy_fcgi.
Alternatively:
- If you are running on a system that has SELinux, haven't disabled it,
and are running Apache HTTP Server under it, then Apache/SELinux plus
will hopefully give you what you want. See
http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus
If nothing else works:
- Run a separate instance of httpd for each virtual host, each with it's
own httpd.conf and each running as a separate user on a unique port (not
port 80). Configure these instances to only talk to a reverse proxy
that sits in front of them and listens on port 80.
I hope this helps.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
