CentOS - Sep 2011 - Apache security , Was: Running Apache sites as separate users

On Thu, Sep 29, 2011 at 9:35 PM, Lucian <lucian at lastdot.org> wrote:
> On Fri, Sep 30, 2011 at 2:22 AM, Trey Dockendorf <treydock at
gmail.com>
> wrote:
> > I had a recent request to improve security on my web servers by having
> each
> > website use a different user to run the hosting service.  So
> > example1.comhas it's own Apache instance running as apache1 and
then
> > example2.com has its own instance of Apache as apache2.  Is this even
> > possible or realistic?  I understand the idea of how that would be
> secure,
> > much like creating a virtual machine to segregate services.  The only
way
> I
> > can think how this is done is to chroot each website.  What makes this
> > request even stranger is that each website will be managed by the same
> CMS
> > and code base.  So with that being the case, I don't see how this
is
> > possible.  Any ideas or insight are very welcome.
>
> Is there a specific requirement to run different http servers? Because
> if there is not then you can just use Suexec+fastcgi.
> Otherwise, just use Apache to proxy stuff to backend servers (can be
> anything from apache to nginx).
>
> HTH
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
I do not know the exact reasoning for wanting each website to be run by
a separate Apache process that has it's own user.  Likely it's a
misunderstanding of actual threats to websites, or using a IIS mindset to
set requirements for Apache.

I'll give Suexec+fastcgi a look and mod_ruid.  Thanks for those suggestions

While on subject of Apache security... Another request / idea was to have
this CMS under development write user controls to .htaccess files to
restrict download access to directories.  Typically if I even allow any
overrides, I set it so apache can only read .htaccess.  My understanding of
the more obvious implications is that if the web server can write to
.htaccess so can any attacker, and then can easily inject malware or
redirect the site to malicious content.  Is there ever a case where it's
safe to allow write access by apache to .htaccess?  Does the below config
for .htaccess in httpd.conf protect from this at all if write permissions
were given on the file system?

<Files ~ "^\.htaccess">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Personally I think that the CMS should handle authorization, and at then
possibly rely on Apache for authentication.  In the case of this CMS it will
be authenticating against a campus SSO through CAS, but access has to be
restricted based on user lists.



- Trey

On Thu, 29 Sep 2011 21:57:52 -0500
Trey Dockendorf <treydock at gmail.com> wrote:
> On Thu, Sep 29, 2011 at 9:35 PM, Lucian <lucian at lastdot.org>
wrote:
> 
> > On Fri, Sep 30, 2011 at 2:22 AM, Trey Dockendorf <treydock at
gmail.com>
> > wrote:
> > > I had a recent request to improve security on my web servers by
having
> > each
> > > website use a different user to run the hosting service.  
> ....
> 
> I'll give Suexec+fastcgi a look and mod_ruid.  Thanks for those
> suggestions
Also check http://mpm-itk.sesse.net/ . It's neat in a sense that users
don't have to fiddle with file permissions, but has a danger that a badly
written php code gives attacker access to all files that $USER owns.



-- 

Jure Pe?ar
http://jure.pecar.org
http://f5j.eu