OK, time for a break from the normal routine. :-)
This concerns "name based" virtual hosting. I.e., with just one IP
address.
The problem is how do you give your users access to PHP, servlets,
CGI, etc. and still keep them somewhat secure from each other's
potential mischief. Suexec is not enough, and multiple httpd
instances are not really an answer because then only one user gets
port 80.
I did come up with a possible solution. However I'm not sure if it's
complete garbage, mildly useful, or really interesting. That's why
I'm posting here.
My "virtual hosts" section of httpd.conf looks something like this:
NameVirtualHost *
<VirtualHost *>
ServerName www.somename.com
DocumentRoot /opt/www/users/somename_ThisIsASecret
...
</VirtualHost>
<VirtualHost *>
ServerName www.anothername.com
DocumentRoot /opt/www/users/anothername_ThisIsAnotherSecret
...
</VirtualHost>
...
Then, /opt/www/users looks like this:
drwx--x--x root root .
drwxrwx--- some apache somename_ThisIsASecret
drwxrwx--- another apache anothername_ThisIsAnotherSecret
You get the idea. Nobody can list the contents of /opt/www/users,
but users can get into their own directory if they know its name.
Also httpd.conf is set to be readable only by root. It turns out
this works because apache starts up with root permissions.
I think the main problem here is the potential for people poking
around inside apache to get documentroot names... but I don't know
much about that.
Comments? TIA for your wisdom....
-- Rod
