On Sun, Oct 29, 2006 at 03:20:25PM +0100, Aiko Barz wrote:
> Hello,
>
> I already discussed this subject on the list. There were several
> possible solutions for this subject and I have chosen one, I would like
> to present now.
>
> The problem: I have several vhosts, which are used by several people.
> The Apache is running with $UID 67. Users can access the system by using
> scponly, which is jailed into /var/www. No problem here so far.
> This issue was, that all scripts must be readable or even writeable for
> the Apache Webserver. So one hacked page could damage other vhosts by
> writing some PHP code to access the other vhosts within /var/www.
>
> My solution:
> 1. I made SuExec working within the chroot environment.
> (http://www.openbsdsupport.org/ApacheSuexecChroot.html)
> 2. I wrote a patch for suexec.c to handle *.php correctly.
> (http://files.haeckser.net/haeckser.net/suexec.patch)
> 3. I compiled PHP by my own with CGI-support and moved the binary into
> the chroot.
> 4. I removed mod_php and mod_perl and set the Apache directives "User",
> "Group", "AddHandler cgi-script" and "Options +ExecCGI".
>
> Now, every PHP-script has the permissions 700 and gets executed with its
> own $UID. I feel much better now. :)
I believe it is possible to set this up using FastCGI, which will
actually be (reasonably?) fast too.
Yes, I am a FastCGI fanboy.
Joachim
