[lug] apache vhost / php perms

George Sexton gsexton at mhsoftware.com
Wed Apr 16 17:51:19 MDT 2008 


George Sexton wrote:
> Make each virtual host directory owned by the user.
> 
> Set the group to be apache, and set the permissions on the directory to 
> be setgid g+rws
> 
> Remove the individual users from the apache directory.

Remove the individual users from the apache group.

> 
> Now, when a user creates a file, the group will be apache, and they will 
> be the owner. Apache will be able to read each user's files, but since 
> the user's are not members of group apache, they won't be able to read 
> each other's files.
> 
> 
> karl horlen wrote:
>> I've got a lamp server that runs multiple php/mysql based vhosts.  
>> Some document roots of these vhosts are owned by different user accounts.
>> In order to allow apache to execute the php in these individually user 
>> owned directories, I simply added each user id to the group 'apache'.  
>> It works fine.
>>
>> However, it's not very secure.  If user A logs in to his account, he 
>> can literally add / change / list / copy anything in user B, C, D... 
>> 's server root directory because they all share 'apache' group perms.  
>> Not good!
>>
>> Can anyone recommend a bulletproof solution to allow apache the access 
>> it needs to exec php from multiple user owned doc roots while 
>> preventing different users from tampering with each other's files and 
>> dirs?
>>
>> I'd prefer something that's fairly easy to administer as multiple 
>> accounts / vhosts are likely to be added and removed from the server.
>>
>> I do know that there is an ExecCGI option.  But i think this seriously 
>> degrades performance?  And as silly as this sounds, for some reason I 
>> always associate CGI with perl and not php so I'm not even sure this 
>> would work with php?
>>
>> Open to any and all solutions.
>>
>> Thanks
>>
>>
>>
>>
>>       
>> ____________________________________________________________________________________ 
>>
>> Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  
>> Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list