[drupal-devel] multihost chrooted apache
Hello, I was wondering if any of you had experiences with a multisite environment on apache, where apache runs in a chrooted vhost environment. We want to give all hosted sites full UID1 permissions on drupal, meaning that they are allowed (for example) to make PHP pages and blocks. One day there will be a user that abuses that, or tries to root the server with that. So we need to limit the abilities of the user running PHP/drupal. Each multisite will run on a single drupal multisite installation, but with apache as a separate user. It seems to work out fine, but I wonder if any of you people has more experience with this, and knows if there are any oddities and quirks to be expected. -- Ber
On Mon, 2005-09-19 at 10:42 +0200, Bèr Kessels wrote:
Hello,
I was wondering if any of you had experiences with a multisite environment on apache, where apache runs in a chrooted vhost environment.
We want to give all hosted sites full UID1 permissions on drupal, meaning that they are allowed (for example) to make PHP pages and blocks. One day there will be a user that abuses that, or tries to root the server with that. So we need to limit the abilities of the user running PHP/drupal. Each multisite will run on a single drupal multisite installation, but with apache as a separate user.
It seems to work out fine, but I wonder if any of you people has more experience with this, and knows if there are any oddities and quirks to be expected.
Chrooted apache is tough, loads of issues until setup, afterwards is OK. Not sure if what you just described makes a lot of sence though. There is an opportunity to mess the permissions. If you have full control of the host, why not trying usermode linux. You will be able to run with little overhead a full "virtual server" for the clients. With cow (copy on write) configured properly for the root filesystem you will achieve similar benefits to what you described above.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19 Sep 2005, at 10:42 AM, Bèr Kessels wrote:
We want to give all hosted sites full UID1 permissions on drupal, meaning that they are allowed (for example) to make PHP pages and blocks. One day there will be a user that abuses that, or tries to root the server with that. So we need to limit the abilities of the user running PHP/drupal. Each multisite will run on a single drupal multisite installation, but with apache as a separate user.
Isn't apache using fastcgi a better idea ? That way you can run each apache process as the user account the site belongs to, and set the permissions to only allow them write access to their own sites dir. You will also only have 1 chrooted environment. Also, for security, I recommend setting the db username and password using setenv in the apache virtualhost . - -- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDLvGogegMqdGlkasRAgJPAJ98oDxqQlijYVFFE7vdEGJXOxDb3QCeMeu3 rGZfJtyuWfdphz9yP9Q4Axc= =1g5d -----END PGP SIGNATURE-----
Hey Op maandag 19 september 2005 19:13, schreef Adrian Rossouw:
That way you can run each apache process as the user account the site belongs to, and set the permissions to only allow them write access to their own sites dir.
That indeed is what I had in mind. each vhost dir is symlinked from /sites eg sites/www.example.com -> /home/httpd/example.com/ And indeed what I wanted is the user example.com to be an apache users. so if example.com decides to FuBar his site (which is fine IMO, disclaimers are in place.) that must be limited to /home/httpd/example.com/ and example.coms database, of course. A user mode linux is not a real option. Memory issues make this Very Hard [tm]. But above all, I see no way to run a multisite on a user mode environment. And, maybe the most important of all is that it breaks with our "law number one": KISS. :) Bèr -- [ Bèr Kessels | Drupal services www.webschuur.com ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19 Sep 2005, at 7:42 PM, Bèr Kessels wrote:
And indeed what I wanted is the user example.com to be an apache users. so if example.com decides to FuBar his site (which is fine IMO, disclaimers are in place.) that must be limited to /home/httpd/example.com/ and example.coms database, of course.
Use FastCGI , so that each user can read the apache root, but not write to anything but their sites directory. Meaning they can't fubar anything. - -- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDLvrPgegMqdGlkasRAvC0AKDf4KRUM4gak8UYviTECucJwsA6nQCg0xBD OiOP7YE09EZ4Ixspjbbz7pM= =nL54 -----END PGP SIGNATURE-----
participants (3)
-
Adrian Rossouw -
Bèr Kessels -
vlado