[nycbug-talk] apache: securing each virtural host

Dan Casey dcasey
Thu Feb 3 15:50:44 EST 2005


----- Original Message ----- 
From: "Marc Spitzer" <mspitzer at gmail.com>
To: "nycbug" <talk at lists.nycbug.org>
Sent: Thursday, February 03, 2005 9:04 AM
Subject: Re: [nycbug-talk] apache: securing each virtural host


> On Thu, 3 Feb 2005 11:41:48 -0800, Dan Casey <dcasey at bestweb.net> wrote:
> > FreeBSD 5.3
> >
> > Well, VirtualHost reffering to the apache config.
> >
> > I want a jail-like setup. But not for apache as a whole.
> > Apache will have several websites (NameBased VirtualHosts).
> > Each User (1 perl website) will be able to there files only, in what
will
> > appear to them as a server or filesystem.
>
> How are you granting users access to their files, ftp, webdav...?
> for ftp there are many ftp servers that lock you into your "home dir"
> only, perhaps you can do the same thing with webdav.
> >
> > Now if it where just one site, a regular jail would be fine. But I want
to
> > keep each site seperate.
>
> Virtual hosts work fine for that.
>
> >
> > I don't seem to understand how to achieve this with running a seperate
jail
> > for each site.
>
> each server is in its own separate world so the users can not get
> access to other users stuff.
>
> > Each jail would then need to run its own httpd.conf, and start its own
httpd
> > servers.
>
> yes
>
> >
> > By default apache opens 5 servers.
> > say 50 websites / 50 jails * 5 servers = .... not an ideal situation :)
>
> not that bad on descent hardware
>
> >
> > I cannot imagine that this is the only way to achieve this affect.
> >
>
> It depends what/how much you want to isolate you users.   if you want
> them to each think they have a dedicated server, they can ssh in and
> edit stuff, install binaries then you need a jail for each of them.
> If you can just give them each a separate docroot and limit there
> access to ftp then you do not need a jail.
>
> >From what you want the 'ls -la /' cgi to do you need a jail, ls is not
> something you can control from apache so you must do it from the os.
> If this is necessary then size your hardware accordingly.
>
> marc
>
> ps top posting is bad please stop doing it here.
>
> > Thanks
> >
> >
> > ----- Original Message -----
> > From: "Marc Spitzer" <mspitzer at gmail.com>
> > To: "nycbug" <talk at lists.nycbug.org>
> > Sent: Thursday, February 03, 2005 8:20 AM
> > Subject: Re: [nycbug-talk] apache: securing each virtural host
> >
> > > On Thu, 3 Feb 2005 10:03:08 -0500, Dan Casey <dcasey at bestweb.net>
wrote:
> > > >
> > > > I have posted this question on alt.apache.configuration and several
> > forums
> > > > as well.. Nobody seems to have an answer as to how this is done. I
have
> > an
> > > > account on a webserver that is using ensim cp. There server does
what I
> > am
> > > > trying to achieve.
> > > >
> > > >
> > > > I know how to chroot apache, that's no problem.
> > > > What I would like to do is lock each virtualhost to be able to see
its
> > own
> > > > files only. The system that I have the account on was able to
achieve
> > this
> > > > using up about 20Mb per virtualhost.
> > > >
> > > >
> > > > Example of why I am trying to achieve this.
> > > > Say I have my web files in folders such as
> > > > /usr/local/virtual/some-domain.com/www
> > > >
> > > > I would need to set the ServerRoot to /usr/local/virtual/
> > > > The VirtualHost DocumentRoot's would be set to
> > > > /usr/local/virtual/some-domain.com/www and so.
> > > >
> > > > A user executes a script in his browser.
some-domain.com/cgi-bin/ls.cgi
> > > >     this script looks like so
> > > >     #!/usr/local/bin/perl
> > > >     print "Content-Type: text/html\n\n";
> > > >     print `ls -la /';
> > > >
> > > > the contents on there screen would be the output of
> > > > ls -la /usr/local/virtual/
> > > > thus listing all the domains available on the server.
> > > >
> > > > I need to set this up so that that same script would return the
output
> > of
> > > > ls -la /usr/local/virtual/some-domain.com/
> > > >   which would appear something like this:
> > > >     /etc
> > > >     /dev
> > > >     /usr
> > > >     ...
> > >
> > > I think you are confusing your terms, from what I see you do not want
> > > a virtual host.  What you want is a jail, on freebsd, or a xen virtual
> > > machine, on netbsd 2.  You do not want a virtual host, that would only
> > > contain the web server stuff(docroot, cgi's, etc.).
> > >
> > > Now if you do want virtual server, not virtual hosts, what OS are you
> > > planning on doing this on?
> > >
> > > marc
> > > _______________________________________________
> > > % NYC*BUG talk mailing list
> > > http://lists.nycbug.org/mailman/listinfo/talk
> > > %Be sure to check out our Jobs and NYCBUG-announce lists
> > > %We meet the first Wednesday of the month
> > >
> > >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 2/1/2005
> >
> >
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>
>


Sorry bout the top-posting.

Users have access to there files via ftp.
Im running pure-ftp which dosn't allow them to leave there homedir.
ssh i have a unique setup, but thats another story.

VirtualHost keeps everything separtate, yes.
What I meant was to not allow users to run scripts that can access anything
below there virtualhost's DocumentRoot, thus allowing them to see anything
in the ServerRoot which is convieniently one directory below there
DocumentRoot.. (that was a mouthfull)

Ideally I would just set it up the virtualhost like so
    ServerRoot /usr/local/virtual/some-domain.com/
    DocumentRoot /usr/local/virtual/some-domain.com/www/
but then apache says ServerRoot cannot occur within <VirtualHost> section


..I think im sadly coming to think that I really do need to run a seperate
jail with its own apache server running in it.
i can see this becoming an absolute mess to manage..
i wouldn't want to even think about upgrading a kernel...

well, if that is the way it needs to be done, then that is what needs to be
done...
I guess i have a lot of script writing ahead of me.. :) yippie.


-Thank you much.




-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 2/1/2005





More information about the talk mailing list