Isolating Apache virtualhosts from the rest of the system

Posted by JesperB on Server Fault See other posts from Server Fault or by JesperB
Published on 2012-11-21T20:47:06Z Indexed on 2012/11/21 23:01 UTC
Read the original article Hit count: 261

Filed under:
|
|
|
|

I am setting up a web server that will host a number of different web sites as Apache VirtualHosts, each of these will have the possibility to run scripts (primarily PHP, possiblu others).

My question is how I isolate each of these VirtualHosts from eachother and from the rest of the system? I don't want e.g. website X to read the configuration of website Y or any of the server's "private" files.

At the moment I have set up the VirtualHosts with FastCGI, PHP and SUExec as described here (http://x10hosting.com/forums/vps-tutorials/148894-debian-apache-2-2-fastcgi-php-5-suexec-easy-way.html), but the SUExec only prevents users from editing/executing files other than their own - the users can still read sensitive information such as config files.

I have thought about removing the UNIX global read permission for all files on the server, as this would fix the above problem, but I'm not sure if I can safely do this without disrupting the server function.

I also looked into using chroot, but it seems that this can only be done on a per-server basis, and not on a per-virtual-host basis.

I'm looking for any suggestions that will isolate my VirtualHosts from the rest of the system.

PS I'm running Ubuntu 12.04 server

© Server Fault or respective owner

Related posts about apache2

Related posts about ubuntu