Almir Karic wrote: > what i would like to achieve is that on a shared host if bad guys (tm) > break into one site they can't get to other sites.
if "get to"=look at, this is probably pointless. Unless it is a authentication-protected site, the information is usually spread around by various browser "tool bars" and spyware and is probably more public than the "secretive" site owner thinks. > is this possible? i've been looking at su-exec but it is for cgi > scripts only :/, what other options there are? > > AFAIK chroot is not the correct answer to my question as it protects > the rest of the system from being exploited if one of the sites gets > cracked but it can't protect one site from another... BY DEFAULT... chroot not only protects the rest of the system, but also protects the website(s) itself. http://www.openbsd.org/faq/faq10.html#httpdchroot ". . . the starting configuration of the OpenBSD chroot(2)ed Apache is where the user the httpd(8) program is running as can not run any programs, can not alter any files, and can not assume another user's identity." IF you maintain that rule, your system is pretty darned secure, as even if someone knocks over httpd, all they can do is LOOK at other sites, they can't deface them. Nick.
