0

I have read What permissions should my website files/folders have on a Linux webserver? and here is a linked question. Let's say:

  • /var/www/bobweb/ is owned by bob:bob

  • /var/www/eveweb/ is owned by eve:eve

and that each site has an Apache VirtualHost, linking to bobweb.com and eveweb.com.

Each website needs to be writable by Apache (there is an image uploader on both websites), so I often read:

"Just do chgrp -R www-data /var/www/bobweb/, idem for Eve, and that's all!"

This gives:

drwxrwx---  3 bob    www-data 4096 Jan  9 17:45 bobweb
drwxrwx---  5 eve    www-data 4096 Feb 26  2019 eveweb

This indeed prevents Bob to visit Eve's files from shell/SSH and vice-versa.

But it seems that Eve could write a PHP script (run by www-data) to read (or even modify) /var/www/bobweb/wp-config.php (thus stealing Bob's DB password!).

Question: how to modify user+group ownerships and permissions to prevent Bob to read Eve's files and vice-versa, but still allow Apache+PHP to write data on these websites?

(typical shared hosting situation)

Basj
  • 709
  • 3
  • 11
  • 29
  • Have you considered using a module like mod_suphp (not the old non-supported one but the one by lightsey on Github) which picks the uid from vhost settings and launches php scripts under defined user rather than a global one? Another option would be to use php-fpm and launch multiple pools, then pass scripts from one vhost to that sock/port (and effectively again use uid rather than global account for executing php scripts) – Miuku Jan 12 '20 at 15:23
  • @Miuku I was thinking there is a simple solution for this (the requirements here are very classic: typical for a shared hosting server) without installing new Apache modules, do you think it's possible? – Basj Jan 12 '20 at 16:25

1 Answers1

0

This can't fully be done with file permissions alone - you should look to the applications you are running to create jails. For PHP you can use "open_basedir" on a per virtualhost basis.

You will also want something similar in your FTP server (you have not advised which server you are using but many/most have an appropriate directive).

Of-course if you are allowing cgis the entire problem space changes.

davidgo
  • 6,222
  • 3
  • 23
  • 41
  • Thank you for your answer. For future reference, can you add a link to the solutions you recommend? PS: I don't use CGIs, only Apache 2.4+PHP+OpenSSH's SFTP (on a Debian). – Basj Jan 12 '20 at 20:55