Apache and multiple Virtual Hosts best practices

Timothy Ha linuxmail at yandex.ru
Thu Dec 16 22:18:13 UTC 2004


Virtual hosting user may want to write to their directories, I think.

Recently I stumbled with making up a relatively secure Apache virtual 
hosting installation. This is my solution to this moment:

1) users are Unix users at my server, they have FTP locked up in their 
home directories (ProFTPd has this option)
2) Apache httpd service runs with apache uid/gid. apache is member of 
each user's personal group, so the website is functioning
3) for scripts like PHP to write in user directories, I use suphp module 
(www.suphp.org) that runs php scripts with their owner's rights. So even 
if users know about other logins, they cannot just 
fopen("/home/otheruser/index.php", "r") to read something, because their 
script doesn't have the right.
4) for CGI scripts (Perl and other stuff), one can use suexec (one of my 
recent topics here), but I don't have CGI that write in directories, so 
I don't care.

If anyone has a better solution, please write. I would be glad to know.

Timothy

Harry Hoffman wrote:

> why does apache need to write to the vhost dirs?
>
> Eric Wagar wrote:
>
>> I have an Apache web server with a few virtual hosts.  The ftp is 
>> handled by proftpd, and I have multiple users defined.  These users 
>> have their own uid and gid.  The problem comes when Apache is uid 
>> apache and need to write to the said directory.
>>
>> I am wondering what other people have done to deal with this.  Do 
>> people just set all the ftp users uid/gid to the same as the Apache 
>> uid/gid on the system?  Obviously this would be an ok solution 
>> because apache uid/gid != root.
>>
>> What are the other ways you guys have dealth with this?
>>
>> Thanks
>> eric
>>
>




More information about the fedora-list mailing list