[lug] apache vhost / php perms

George Sexton gsexton at mhsoftware.com
Wed Apr 16 17:49:28 MDT 2008 

Make each virtual host directory owned by the user.

Set the group to be apache, and set the permissions on the directory to 
be setgid g+rws

Remove the individual users from the apache directory.

Now, when a user creates a file, the group will be apache, and they will 
be the owner. Apache will be able to read each user's files, but since 
the user's are not members of group apache, they won't be able to read 
each other's files.


karl horlen wrote:
> I've got a lamp server that runs multiple php/mysql based vhosts.  Some document roots of these vhosts are owned by different user accounts. 
> 
> In order to allow apache to execute the php in these individually user owned directories, I simply added each user id to the group 'apache'.  It works fine.
> 
> However, it's not very secure.  If user A logs in to his account, he can literally add / change / list / copy anything in user B, C, D... 's server root directory because they all share 'apache' group perms.  Not good!
> 
> Can anyone recommend a bulletproof solution to allow apache the access it needs to exec php from multiple user owned doc roots while preventing different users from tampering with each other's files and dirs?
> 
> I'd prefer something that's fairly easy to administer as multiple accounts / vhosts are likely to be added and removed from the server.
> 
> I do know that there is an ExecCGI option.  But i think this seriously degrades performance?  And as silly as this sounds, for some reason I always associate CGI with perl and not php so I'm not even sure this would work with php?
> 
> Open to any and all solutions.
> 
> Thanks
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Be a better friend, newshound, and 
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list