1

Firstly, I'm wondering what is the best way to isolate Apache's vhosts from each other. I suppose this has something todo with the Linux filesystem as well, since it's not a good practise to have folders (and files) like /var/www/site1.com/public_html and /var/www/site2.com/public_html under the same Linux user/group.

I found this similar post: Isolating Apache virtualhosts from the rest of the system but noticed this is about isolating the vhosts from the system. A good practice but not what I ment.

I don't want any possible way that site1.com can access files of site2.com and if possible also nothing unnecessary from the filesystem other than it's own directory and sub directories.

Secondly, what is the influence of chmod on the userrights. Let's say both sites run in their own user and usergroup. But site1.com has one file or directory with the chmod rights 777. Will site2.com be able to use that file/directory?

Community
  • 1
Bob Ortiz
  • 442
  • 4
  • 21
  • You've not provided nearly enough information about the security model - who is maintaining the content? Is the content just static files or are there scripts/executables? Are you only trying to isolate the vhosts from each other or are there other facilities on the system which should be partitioned? Why are you not using containers or VMs if strict partitioning is a requirement? – symcbean May 10 '16 at 12:55

1 Answers1

4

Not the best solution, but maybe part of it, and the simplest : use suExec.

With suExec, you can easily assign a different Unix user for every vhost for instance (the most common scenario). If you take care of having those user's home private (mode 0700), that's a pretty good isolation for a start.

They are not chrooted, and will still share /tmp, see other processes running and such. But you will be at least one level above the vast majority of awfully configured LAMP servers.

There are also some technical pro/cons :

  • pro : eliminate the "ftp-user vs. www-data" user where many people end up to chmod all their files and folders into global write (mode 0777) in order for HTTP uploads to work; here the shell login and Apache share the same user
  • con : for the same reason, Apache now can modify any file (data, code) from your user account; that's a prereq for those expecting to update Wordpress from its backoffice, but a no-go if you're serious about security and know how to really maintain webapps
  • con : when an Apache worker su's to some user, it cannot be reused for the next incoming HTTP request for a distinct vhost/user; thus this solution does not scale very well if you have lots of vhosts/users (independently of having the very good idea of using its mpm-worker and running code out-of-process via FastCGI, HTTP reverse proxying and such)

Regarding your second question : using private homes, you get what you want (chmod 0700 ~toto), BUT the user itself might make its own home public and even globally writable if she so whishes (running chmod 0777 ~toto). Thus it depends on the trust you put on the server's users and apps.

zerodeux
  • 656
  • 4
  • 6