1

I'm going to install apache+php in a server where two users, A and B, will deploy their website. I'm trying to achieve isolation of users' space for security reasons: that is no scripts from site A should be able to read files in site B.

To achieve this I installed suphp. Website files of user A are owned by A:A with perm=700 and user of B are owned by B:B with perm=700. Suphp works great, but apache complains about permissions to read .htaccess.

How can I let apache to read .htaccess in every dir of A and B while keeping isolation between site A and site B? I played with ownership (group = www-data) and permissions (750) but I found no way to keep isolation granted. Any idea?

Maybe by running apache as root, but in this case are there any drawbacks?

Jack
  • 525
  • 1
  • 5
  • 13
  • 1
    While I can't answer your main question, running Apache as root will lead to complete compromise of your machine if Apache gets compromised. You might as well stamp the root password and IP of your machine on every domain's index page. – gparent Oct 28 '12 at 19:59

2 Answers2

0

As a sidenote, to strict it even more you can put this:

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables,    escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”

in: /etc/php5/apache2/conf.d/disable_functions.ini

http://forums.eukhost.com/f42/disabling-dangerous-php-functions-6020/

I hope this is not to offtopic.

Maikel van Leeuwen
  • 31
  • 4
0

Well, I thing I resolved.

Home directories are perm=750, owner=A:www-data (or B:www-data). Inside homes all directories and files are owned by A:A (or B:B) with perm=644 or 755 for dir. Doing this, apache running as www-data is always able to read .htaccess in all directories, while the user A cannot read any content of the user B, since its home directory is 750, that is 0 for A.

Thank you for suggestions given; those are useful to improve security

Jack
  • 525
  • 1
  • 5
  • 13
  • but user A (or B) can write a PHP script to read any file in the other user's directory. As the script will be run as www-data and www-data has read access to the both user's content, they still can access any file. There are options like suphp, php-fcgi, mpm-itk, mod_ruid2 and other solutions to handle this, runnung each user's scripts as that user only (some of those solutions will only handle PHP scripts, other files will need to be readable by the Apache). – MV. Mar 22 '13 at 20:07
  • I already was talking about suphp – Jack Mar 26 '13 at 16:56
  • Ah, got it. Sorry, I missed it just reading your answer (you mentioned it in your question). – MV. Mar 26 '13 at 19:12