CentOS - May 2007 - Apache User Isolation/Perchild, or PHP "chroot"?

Has anyone set up any form of apache user isolation on CentOS? I have
multiple virtual hosts on my machine, run by users who do not trust
eachother. The problem is that any php script run by apache is able to do
things like raw file io on other users' .htpasswds, php scripts, hidden
directory listings, and so on. Database passwords can even be divulged in
this way, since they are often stored in .php scripts, which can be read
"in the raw" as files by other php scripts.

What is the easiest method for dealing with this? I found
http://webauth.stanford.edu/manual/mod/perchild.html but it does not seem
to be compiled with the CentOS 5 apache, and I've read elsewhere that php
has issues with mutlithreaded apache. Is there any easy way to isolate
individual users, by either having apache setuid, or chrooting php
scripts, or (ugh) a clean way to run a new apache copy for each vhost?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> Has anyone set up any form of apache user isolation on CentOS? I have
> multiple virtual hosts on my machine, run by users who do not trust
> eachother. The problem is that any php script run by apache is able to do
> things like raw file io on other users' .htpasswds, php scripts, hidden
> directory listings, and so on. Database passwords can even be divulged in
> this way, since they are often stored in .php scripts, which can be read
> "in the raw" as files by other php scripts.
>
> What is the easiest method for dealing with this? I found
> http://webauth.stanford.edu/manual/mod/perchild.html but it does not seem
> to be compiled with the CentOS 5 apache, and I've read elsewhere that
php
> has issues with mutlithreaded apache. Is there any easy way to isolate
> individual users, by either having apache setuid, or chrooting php
> scripts, or (ugh) a clean way to run a new apache copy for each vhost?
There are a few links here discussing these issues.  I have read them, but 
not implemented them.

<http://www.linode.com/forums/viewtopic.php?t=2723>

Barry

On 5/2/07, Dan Mensom <mensomman at yahoo.com>
wrote:
> Has anyone set up any form of apache user isolation on CentOS? I have
> multiple virtual hosts on my machine, run by users who do not trust
> eachother. The problem is that any php script run by apache is able to do
> things like raw file io on other users' .htpasswds, php scripts, hidden
> directory listings, and so on. Database passwords can even be divulged in
> this way, since they are often stored in .php scripts, which can be read
> "in the raw" as files by other php scripts.
>
> What is the easiest method for dealing with this? I found
> http://webauth.stanford.edu/manual/mod/perchild.html but it does not seem
> to be compiled with the CentOS 5 apache, and I've read elsewhere that
php
> has issues with mutlithreaded apache. Is there any easy way to isolate
> individual users, by either having apache setuid, or chrooting php
> scripts, or (ugh) a clean way to run a new apache copy for each vhost?
Apache gets interesting for things like this. Mostly you can use
selinux and the suexec function for apache to run processes as users.
This will get you the separation your users want, however it will only
apply to php if you run php as a cgi, and not as a module. You'll take
a performance hit doing it this way, but it should do everything you
want.


-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell

On Wed, 2 May 2007, Dan Mensom wrote:
> Has anyone set up any form of apache user isolation on CentOS? I 
> have multiple virtual hosts on my machine, run by users who do not 
> trust eachother. The problem is that any php script run by apache is 
> able to do things like raw file io on other users' .htpasswds, php 
> scripts, hidden directory listings, and so on. Database passwords 
> can even be divulged in this way, since they are often stored in 
> .php scripts, which can be read "in the raw" as files by other
php
> scripts.
>
> What is the easiest method for dealing with this? I found 
> http://webauth.stanford.edu/manual/mod/perchild.html but it does not 
> seem to be compiled with the CentOS 5 apache, and I've read 
> elsewhere that php has issues with mutlithreaded apache. Is there 
> any easy way to isolate individual users, by either having apache 
> setuid, or chrooting php scripts, or (ugh) a clean way to run a new 
> apache copy for each vhost?
One "using a canon to kill a fly" approach would be

  * each vhost runs Apache under a vhost-specific uid/gid and
    bound only to the loopback interface on a port you
    assign, e.g.,

    vhost01 -- User vhost01, Group vhost01, Listen 127:0.0.1:6001
    vhost01 -- User vhost02, Group vhost02, Listen 127:0.0.1:6002

  * the main apache does little but reverse proxy all the
    vhosts out to the Internet.

    <VirtualHost *:80>
      ServerName vhost01.domain
      ProxyRequests Off
      ProxyPass / http://localhost:6001/
      ProxyPassReverse / http://localhost:6001/
      <Proxy *>
        Order deny,allow
        Allow from all
      </Proxy>
    </VirtualHost>

Given the right file permissions, no vhost would have access to 
another except via HTTP.

Downside: You're essentially doubling the number of Apache processes 
on your system. Another Upside: Configuration blunders in the vhosts 
won't throw errors in your main server process.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/