I'm setting up a shared web hosting service running on Linux for untrusted user content. The standard and supported way of doing this in Apache is to use mod_userdir and suexec, which causes dynamic content to be executed using the uid of the mapped user.
However, I don't want to use mod_userdir; I want to use per-user subdomains. All http://serverdomain/~username URLs live in the same browser security context, leading to all sorts of browser-based attacks from one user's content onto another's. By confining user content to http://username.serverdomain/ URLs, these attacks mostly disappear. mod_vhost_alias lets me map per-user subdomains onto the correct directories (as long as the user homedirs are all in the same place, at least) but does not let me assign execution uids based on the username. I believe the immediate path of least resistance for me is to make a copy of the mod_userdir code and adapt it to do translation by subdomain instead of path prefix. But I'm also interested in doing something which can be adopted upstream, so that I can eventually get out of the business of maintaining a module. Has there been any previous design in this direction, or do people have thoughts about how it should work? (I browsed back a year or so in the mailing list archives and didn't find any.) Perhaps mod_userdir could be extended with directives to do subdomain translation instead of or in addition to path prefix translation; that way the enable/disable configuration logic wouldn't need to be duplicated. Thanks.
