Re: Fastcgi or apache-mpm-itk?

To: debian-isp@lists.debian.org
Subject: Re: Fastcgi or apache-mpm-itk?
From: kchr-list-debian@rac.nu
Date: Wed, 11 Jun 2008 10:38:26 +0200
Message-id: <[🔎] 484F8F02.8070207@rac.nu>
In-reply-to: <[🔎] 484EA524.7080302@bigfoot.com>
References: <[🔎] 48455E59.8030506@vandervlis.nl> <[🔎] 20080604073428.GA19284@taz.net.au> <[🔎] 4846619E.80700@bigfoot.com> <[🔎] 484E7D99.5030700@rac.nu> <[🔎] 484EA524.7080302@bigfoot.com>

norbert_schuetz@bigfoot.com wrote:

> Hi Kim,
> 
>> You could always use open_basedir() to restrict file system operations.
>>
>> http://www.php.net/features.safe-mode
>>
>> That way you can make sure that your users won't be able to access files
>> outside of their home directory, but not forcing them to rewrite their
>> scripts because of a chroot().
>>
>> However, this has been removed in PHP 6...
> 
> Thx for your reply but I guess you didn't get the point I was aiming
> at: 

You are correct -- I blame it on caffeine deprivation... ;-)

> The idea is indeed not to force customers to rewrite their
> code  -> in the case we decide to rearange the directory structure
> for whatever reasons (failover could be one) . With the (badly
> broken) safemode and open_basedir this is what you exactly do *not*
> get. All you get is problems all over the place (with so-called
> safemode I remember not being able to write files in
> /var/www/domain/htdocs/ with while useing '.' worked fine although
> both pointed to the same dir... but this might not be the place to
> discuss PHP problems ;-)
> 
> I was looking for a solution to have the users see, say, '/www' as
> their document root, mapping this to some diretory of my choice.
> Mainly not as a security measure but for more system administration
> flexibility.

There is a way to do what you're asking for:

http://www.seaoffire.net/fcgi-faq.html#I-E

By letting SuExec chroot() into "/var/www/domain" when it spawns a new
process, your users' PHP scripts would see /htdocs as its web root
(physical location: /var/www/domain/htdocs) and nothing outside of its
root directory.

Since the chroot() is only done by SuExec when running scripts, you
won't have to put Apache libs in your jail. I'm unsure about PHP though.

Also remember to use an ftpd with chroot() support, like pureftpd or vsftpd.

Best regards,
Kim
-- 
|_|O|_|  Kim Christensen
|_|_|O|  Public key: http://rac.nu/kchr.asc
|O|O|O|  Web home:   http://blog.technopragmatics.org
--------------------------------------------------------
() ascii ribbon campain - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments

Reply to:

Follow-Ups:
- Re: Fastcgi or apache-mpm-itk?
  - From: norbert_schuetz@bigfoot.com

References:
- Fastcgi or apache-mpm-itk?
  - From: Paul van der Vlis <paul@vandervlis.nl>
- Re: Fastcgi or apache-mpm-itk?
  - From: Craig Sanders <cas@taz.net.au>
- Re: Fastcgi or apache-mpm-itk?
  - From: Norbert Schuetz <norbert_schuetz@bigfoot.com>
- Re: Fastcgi or apache-mpm-itk?
  - From: kchr-list-debian@rac.nu
- Re: Fastcgi or apache-mpm-itk?
  - From: norbert_schuetz@bigfoot.com

Prev by Date: Re: SAN solution wanted
Next by Date: Re: SAN solution wanted
Previous by thread: Re: Fastcgi or apache-mpm-itk?
Next by thread: Re: Fastcgi or apache-mpm-itk?
Index(es):
- Date
- Thread