Secure Apache PHP vhost configuration

Posted by jsimmons on Server Fault See other posts from Server Fault or by jsimmons
Published on 2011-05-05T23:41:17Z Indexed on 2012/04/08 23:32 UTC
Read the original article Hit count: 267

Filed under:
|
|
|
|

I'm looking to secure some websites running under apache using suexec. At the moment php is executed with the user/group of the file being executed. This seems to me, not secure enough. It stops vhosts interfering with each other, but does not stop malicious code writing anywhere in the vhost being used.

I was thinking that a possibility would be to run scripts as nobody/vhost group, that way the vhost user could still have full access to the vhost directories, but executing php would only be able to write to files with g+w, and to execute files with g+x. This I think should stop arbitrary writing in the web dir from compromised php.

Just wondering if this is crazy, ridiculous, stupid?

Of course this would be done on top of existing security measures.

© Server Fault or respective owner

Related posts about php

Related posts about vhosts