0

Ok so I looked at a number of resources, per Google, and questions on here an none seem to be what I require.

I come from a Windows IIS background so maybe my thought process is flawed and that Apache does things differently.

Basically on IIS it is recommended to set up a dedicated application pool per web user, or website even, and have their files/folders stored under their own path and work with that dedicated application pool.

I am setting up Apache for testing, and learning purposes, and came across the situation of segregating users. Does Apache need to be forked per user or is the 'www-data' sufficient?

Seeing as the 'separate' webdirs are in separate 'home' directories I assume this is safe? My understanding is that if you can't access a directory somewhere in the path, anything behind that can't be accessed - is this correct?

Lastly, I noticed, and is the reason why I am asking this, that Wordpress when making files, or cache files, is creating them as user 'www-data' and group 'www-data'. This is what prompted me to ask as I am assuming now that the 'user' doesn't have access to those files now?

Anthony
  • 367
  • 1
  • 4
  • 14

2 Answers2

1

My advice is to use apache-itk patch. You can use user home dir per site and execute apache with different user permissions - that is very safe for multiple site hosting.

Dmytro
  • 111
  • 3
  • I was reading up about it here: http://devzone.zend.com/1495/using-apache2-itk-multi-processing-module-on-linux/. It certainly seems like a similar approach to how IIS uses Dedicated App pools. To me it seems more secure but I'm only starting to figure out Apache. Still I have to wonder if this is what current companies, like Godaddy, use for their Shared Servers or do they use the base install. Learn by example I suppose, and I have one. Yet so far I've been told that forking Apache per user is a bad idea, which is contrary to what you say. So is there a correct answer or preferred way? – Anthony Feb 14 '13 at 19:34
  • Adding to the above I just found this, http://serverfault.com/questions/278596/running-apache-as-different-users-for-separate-vhosts?rq=1, which is the same question I guess. I just didn't find it before. The answer seems to suggest what you mentioned. So it is looking more likely but I need to make sure this aspect is secure and understandably, when using additional components, they have to be vetted. I can;t tell if this is created by the Apache project, though this page http://httpd.apache.org/docs/2.0/mpm.html mentions that MPM has to be compiled into the server? – Anthony Feb 14 '13 at 19:39
  • I don't know about GoDaddy, but I am sure this patch is great - it helps me to serve many users secure :) And yes, apache should be compiled/installed with mpm module. – Dmytro Feb 15 '13 at 14:12
  • I think GoDaddy uses something like http://www.cloudlinux.com/ this more serious, but more complicated architecture. – Dmytro Feb 15 '13 at 14:24
0

Firstly, The user running apache needs to be able to read the files in order to show them to a client. When you're using user directories, this usually means giving write access to the user themselves, and read access either specifically to the group "www-data" (or whatever group the user running apache belongs to), or to all users on the server. In order to not show any files outside of the user's public_html directory hierarchy, you would use the apache config file to only allow the public_html and its sub directories to be used for user web sites.

Secondly, since you want to be sure that the apache user is not able to edit anything (in case the server gets cracked, or someone writes a faulty scripts and runs it as a cgi, or something), you want to run it as a user who has no write access to user directories. That user will still need to be able to write logs and temporary data, and it should have its own directories where it does that.

If you were to run one apache instance for each user, and have that apache owned by the user, you'd thereby grant apache permissions to write to all of the user's directories. That's generally not considered a good idea at all.

Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • So would it be best I don't use 'Home' directories and instead setup separate dirs under 'public_html' for each user? I'm a little confused. Then set 'www-data' as the group on those directories for read/write? What about creating files within PHP, will they be created as the 'www-data' user/group in a user directory? Is there some 'step by step' resource you could recommend to explain how best to set them up. I know it is never as straight forward as that and many criteria apply but it would be handy for me to look at. – Anthony Feb 13 '13 at 11:56
  • It seems inconsistent to me to argue once with Apache's protection configuration and once with the possibility that Apache gets cracked. If the webserver is cracked then obviously its configuration on this level doesn't prevent anything any more. So either everything else in the home directories has to be protected against access by Apache (e.g. by default ACLs for the homedir g:www-data:-) or the directories have to be taken out of there. The users can get a symlink pointing there so that they still find the web data where expected. – Hauke Laging Feb 13 '13 at 13:09
  • Anthony: it's common to have the user's web pages under /home/username/public_html, and owned by the user, and readable by apache. Never writable by the apache user. A good place to start is at http://httpd.apache.org/docs/2.2/misc/security_tips.html – Jenny D Feb 14 '13 at 10:48
  • Hauke: The configuration protects against any random web client being able to browse to parts of the file system you don't want them to access. (We still see almost daily attempts to access `../../etc/passwd`, for instance.) Once the web service is actually cracked and the cracker has shell access, of course the apache config won't stop them seeing those directories needed by all programs in order to work. If you want that kind of protection you need to look at e.g. chroot, jails, compartments, or SELinux. But cracking is far less common and easy than just attempting to browse the wrong dir. – Jenny D Feb 14 '13 at 10:50