Root-like filesystem permissions.
Hi there,
This sounds like an apache question, but it's really more general than
that.
Firstly, some background. I manage a small shared hosting system with a
few hundred websites on it.
Currently, I use Apache 1.3 to serve the pages (can't use 2.0 just yet)
and every site has a docroot located in a directory structure such as:
/web/ab/cd/example.com/www
The apache daemon runs as a "www" user and group, and everyone domain
has a unique userid and groupid assigned to it. The apache daemon runs
in a chroot. (Therefore, the /etc/passwd and /etc/group entries for
user sites only exist in the chroot - so that CGIs will work correctly).
This works fine, however it has some flaws.
Currently, permissions on the customer directories need to be lax
enough for the apache daemon to read the files. This means at least 771
for the docroot (which disables multi).
What I would LIKE is to have all permissions on customer files and
directories to be 700 or 600 respectively (except for executable CGIs
of course).
However, to do this, I'll need to run Apache as root, inside the
chroot. This is not desirable, because I have read that it is possible
to break out of a chroot if the attacker gets root inside it.
So.
What I am after is a way of making the Apache daemon's user (www:www)
have root-like filesystem permissions.
I know there is a LOT of stuff added to the 2.4 kernels with regards to
fine grained permissions, but I don't know where to start, and whether
or not this is feasible. Has anyone else done this at their ISP? Should
I be looking at a different solution?
Thanks for taking the time to read this quite lengthy email :) Any
suggestions are appreciated.
Regards,
Nathan.
--
The language and concepts contained herein are guaranteed
not to cause eternal torment in the place where the guy with
the horns and pointed stick conducts his business.
Reply to: