-1

Let's say I have a website under www.example.com and would like to also have a blog under a subfolder, e.g. www.example.com/blog/. How can I sandbox this folder, so that any script running inside it, won't be able to touch any files outside of it?

Edit: Added info below.

The current configuration uses Apache with Suexec and php-fastcgi:

<VirtualHost X.X.X.X:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /home/example/public_html
    ScriptAlias /cgi-bin/ /home/example/cgi-bin/
    DirectoryIndex index.html index.htm index.php

    RemoveHandler .php
    php_admin_value engine Off
    IPCCommTimeout 301
    FcgidMaxRequestLen 1073741824
    SuexecUserGroup "#1000" "#1000"

    <Directory /home/example/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
        AddType application/x-httpd-php .php
        AddHandler fcgid-script .php
        FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
    </Directory>

    <Directory /home/example/cgi-bin>
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
    </Directory>

</VirtualHost>

/home/example/fcgi-bin/php5.fcgi contains:

#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=99999
export PHP_FCGI_MAX_REQUESTS
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php5-cgi

From what I know, the SuexecUserGroup can be used only in the server config or virtualhost context, so it cannot be specified in a directory context. What options do I have?

ovi
  • 99
  • 3

2 Answers2

0

What you want is not entirely possible, but some things to consider:

  • use Apache's Alias directive: that allows to /blog/ URL to be in a different place on the file-system and not in the same directory as other web-content.

  • Rather than mod_php which runs PHP scripts as the webserver UID which is the same for all site content, use PHP in CGI mode (for instance php-fpm) with a different UID context for the blog site. suexec is similar for CGI scripts.

  • Use of a Reverse Proxy for the /blog/ URL to a completely different web-server (instance) for your blog:

    ProxyPass /blog/ http://blog.example.org:81/blog/
    ProxyPassReverse /blog/ http://blog.example.org:81/blog/

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • thanks. I think the `Alias` alone wouldn't be of any help, because I want the folder to be completely sandboxed. The reverse proxy option is one I already looked at, very powerful considering that you can use it to host the folder on a totally different server. What I'm more interested in right now, is what configuration would be needed to run the subfolder as a different user? – ovi Mar 13 '15 at 12:48
  • sorry if I was too generic on the question before. I added more info now. – ovi Mar 13 '15 at 14:37
0

You could have example.com/blog redirect to a vhost blog.example.com. You could then use for example suphp to run the scripts in this vhost as a completely different user. That should give you the isolation that you want.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • sure, that would be great, but it's actually a requirement to use a subfolder here. – ovi Mar 13 '15 at 15:52