[nycbug-talk] apache: securing each virtural host

Bob Ippolito bob
Thu Feb 3 12:06:44 EST 2005 


On Feb 3, 2005, at 14:41, Dan Casey wrote:

> ----- Original Message -----
> From: "Marc Spitzer" <mspitzer at gmail.com>
> To: "nycbug" <talk at lists.nycbug.org>
> Sent: Thursday, February 03, 2005 8:20 AM
> Subject: Re: [nycbug-talk] apache: securing each virtural host
>
>
>> On Thu, 3 Feb 2005 10:03:08 -0500, Dan Casey <dcasey at bestweb.net> 
>> wrote:
>>>
>>> I have posted this question on alt.apache.configuration and several
> forums
>>> as well.. Nobody seems to have an answer as to how this is done. I 
>>> have
> an
>>> account on a webserver that is using ensim cp. There server does 
>>> what I
> am
>>> trying to achieve.
>>>
>>>
>>> I know how to chroot apache, that's no problem.
>>> What I would like to do is lock each virtualhost to be able to see 
>>> its
> own
>>> files only. The system that I have the account on was able to achieve
> this
>>> using up about 20Mb per virtualhost.
>>>
>>>
>>> Example of why I am trying to achieve this.
>>> Say I have my web files in folders such as
>>> /usr/local/virtual/some-domain.com/www
>>>
>>> I would need to set the ServerRoot to /usr/local/virtual/
>>> The VirtualHost DocumentRoot's would be set to
>>> /usr/local/virtual/some-domain.com/www and so.
>>>
>>> A user executes a script in his browser. 
>>> some-domain.com/cgi-bin/ls.cgi
>>>     this script looks like so
>>>     #!/usr/local/bin/perl
>>>     print "Content-Type: text/html\n\n";
>>>     print `ls -la /';
>>>
>>> the contents on there screen would be the output of
>>> ls -la /usr/local/virtual/
>>> thus listing all the domains available on the server.
>>>
>>> I need to set this up so that that same script would return the 
>>> output
> of
>>> ls -la /usr/local/virtual/some-domain.com/
>>>   which would appear something like this:
>>>     /etc
>>>     /dev
>>>     /usr
>>>     ...
>>
>> I think you are confusing your terms, from what I see you do not want
>> a virtual host.  What you want is a jail, on freebsd, or a xen virtual
>> machine, on netbsd 2.  You do not want a virtual host, that would only
>> contain the web server stuff(docroot, cgi's, etc.).
>>
>> Now if you do want virtual server, not virtual hosts, what OS are you
>> planning on doing this on?
>>
> FreeBSD 5.3
>
> Well, VirtualHost reffering to the apache config.
>
> I want a jail-like setup. But not for apache as a whole.
> Apache will have several websites (NameBased VirtualHosts).
> Each User (1 perl website) will be able to there files only, in what 
> will
> appear to them as a server or filesystem.
>
> Now if it where just one site, a regular jail would be fine. But I 
> want to
> keep each site seperate.
>
>
> I don't seem to understand how to achieve this with running a seperate 
> jail
> for each site.
> Each jail would then need to run its own httpd.conf, and start its own 
> httpd
> servers.
>
> By default apache opens 5 servers.
> say 50 websites / 50 jails * 5 servers = .... not an ideal situation :)
>
> I cannot imagine that this is the only way to achieve this affect.

You're asking for two mutually exclusive things, a single Apache 
process can't live in 50 different jails at the same time.

There is probably a way to chroot before running a CGI, but that 
doesn't help you isolate anything in-process like mod_php.  To do that, 
you actually do need to run an apache per user.

-bob

More information about the talk mailing list