[nycbug-talk] apache: securing each virtural host

Marc Spitzer mspitzer
Thu Feb 3 12:04:28 EST 2005 

On Thu, 3 Feb 2005 11:41:48 -0800, Dan Casey <dcasey at bestweb.net> wrote:
> FreeBSD 5.3
> 
> Well, VirtualHost reffering to the apache config.
> 
> I want a jail-like setup. But not for apache as a whole.
> Apache will have several websites (NameBased VirtualHosts).
> Each User (1 perl website) will be able to there files only, in what will
> appear to them as a server or filesystem.

How are you granting users access to their files, ftp, webdav...?  
for ftp there are many ftp servers that lock you into your "home dir"
only, perhaps you can do the same thing with webdav.
> 
> Now if it where just one site, a regular jail would be fine. But I want to
> keep each site seperate.

Virtual hosts work fine for that.

> 
> I don't seem to understand how to achieve this with running a seperate jail
> for each site.

each server is in its own separate world so the users can not get
access to other users stuff.

> Each jail would then need to run its own httpd.conf, and start its own httpd
> servers.

yes

> 
> By default apache opens 5 servers.
> say 50 websites / 50 jails * 5 servers = .... not an ideal situation :)

not that bad on descent hardware

> 
> I cannot imagine that this is the only way to achieve this affect.
> 

It depends what/how much you want to isolate you users.   if you want
them to each think they have a dedicated server, they can ssh in and
edit stuff, install binaries then you need a jail for each of them. 
If you can just give them each a separate docroot and limit there
access to ftp then you do not need a jail.

>From what you want the 'ls -la /' cgi to do you need a jail, ls is not
something you can control from apache so you must do it from the os. 
If this is necessary then size your hardware accordingly.

marc

ps top posting is bad please stop doing it here.

> Thanks
> 
> 
> ----- Original Message -----
> From: "Marc Spitzer" <mspitzer at gmail.com>
> To: "nycbug" <talk at lists.nycbug.org>
> Sent: Thursday, February 03, 2005 8:20 AM
> Subject: Re: [nycbug-talk] apache: securing each virtural host
> 
> > On Thu, 3 Feb 2005 10:03:08 -0500, Dan Casey <dcasey at bestweb.net> wrote:
> > >
> > > I have posted this question on alt.apache.configuration and several
> forums
> > > as well.. Nobody seems to have an answer as to how this is done. I have
> an
> > > account on a webserver that is using ensim cp. There server does what I
> am
> > > trying to achieve.
> > >
> > >
> > > I know how to chroot apache, that's no problem.
> > > What I would like to do is lock each virtualhost to be able to see its
> own
> > > files only. The system that I have the account on was able to achieve
> this
> > > using up about 20Mb per virtualhost.
> > >
> > >
> > > Example of why I am trying to achieve this.
> > > Say I have my web files in folders such as
> > > /usr/local/virtual/some-domain.com/www
> > >
> > > I would need to set the ServerRoot to /usr/local/virtual/
> > > The VirtualHost DocumentRoot's would be set to
> > > /usr/local/virtual/some-domain.com/www and so.
> > >
> > > A user executes a script in his browser. some-domain.com/cgi-bin/ls.cgi
> > >     this script looks like so
> > >     #!/usr/local/bin/perl
> > >     print "Content-Type: text/html\n\n";
> > >     print `ls -la /';
> > >
> > > the contents on there screen would be the output of
> > > ls -la /usr/local/virtual/
> > > thus listing all the domains available on the server.
> > >
> > > I need to set this up so that that same script would return the output
> of
> > > ls -la /usr/local/virtual/some-domain.com/
> > >   which would appear something like this:
> > >     /etc
> > >     /dev
> > >     /usr
> > >     ...
> >
> > I think you are confusing your terms, from what I see you do not want
> > a virtual host.  What you want is a jail, on freebsd, or a xen virtual
> > machine, on netbsd 2.  You do not want a virtual host, that would only
> > contain the web server stuff(docroot, cgi's, etc.).
> >
> > Now if you do want virtual server, not virtual hosts, what OS are you
> > planning on doing this on?
> >
> > marc
> > _______________________________________________
> > % NYC*BUG talk mailing list
> > http://lists.nycbug.org/mailman/listinfo/talk
> > %Be sure to check out our Jobs and NYCBUG-announce lists
> > %We meet the first Wednesday of the month
> >
> >
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 2/1/2005
> 
>

More information about the talk mailing list