Secure Apache PHP vhost configuration
Posted
by
jsimmons
on Server Fault
See other posts from Server Fault
or by jsimmons
Published on 2011-05-05T23:41:17Z
Indexed on
2012/04/08
23:32 UTC
Read the original article
Hit count: 267
I'm looking to secure some websites running under apache using suexec. At the moment php is executed with the user/group of the file being executed. This seems to me, not secure enough. It stops vhosts interfering with each other, but does not stop malicious code writing anywhere in the vhost being used.
I was thinking that a possibility would be to run scripts as nobody/vhost group, that way the vhost user could still have full access to the vhost directories, but executing php would only be able to write to files with g+w, and to execute files with g+x. This I think should stop arbitrary writing in the web dir from compromised php.
Just wondering if this is crazy, ridiculous, stupid?
Of course this would be done on top of existing security measures.
© Server Fault or respective owner