Re: advice request for shared hosting and security issue

To: debian-isp@lists.debian.org
Subject: Re: advice request for shared hosting and security issue
From: Thomas Goirand <zigo@debian.org>
Date: Mon, 24 Jun 2013 22:50:05 +0800
Message-id: <[🔎] 51C85C9D.2040806@debian.org>
In-reply-to: <[🔎] CAKtWOTTmj2H722L3uAJ9hqaf7OBy-ch_vVVP5tJH2Wk6m_BZ0A@mail.gmail.com>
References: <[🔎] CAKtWOTRPSoKEM3YTGqLFjkyW68rWLwsv5Ri0KmVLLiGLix0BMQ@mail.gmail.com> <[🔎] 51C8053D.5080006@debian.org> <[🔎] CAKtWOTTmj2H722L3uAJ9hqaf7OBy-ch_vVVP5tJH2Wk6m_BZ0A@mail.gmail.com>

On 06/24/2013 07:12 PM, Oğuz Yarımtepe wrote:
> If there is an howto for a sample vhost, it would be great.

Here's an example vhost:

<VirtualHost 1.2.3.4:80>
        ServerName www.example.com
        DocumentRoot /var/www/example.com/subdomains.aufs/www/html
        ScriptAlias /cgi-bin /usr/lib/cgi-bin
        php_admin_flag engine off
        AddHandler php-cgi-wrapper .php
        Action php-cgi-wrapper /cgi-bin/sbox
        AddHandler python-cgi-wrapper .py
        Action python-cgi-wrapper /cgi-bin/sbox
        AddHandler ruby-cgi-wrapper .rb
        Action ruby-cgi-wrapper /cgi-bin/sbox
        AddHandler ruby-cgi-wrapper .pl
        Action ruby-cgi-wrapper /cgi-bin/sbox
        ErrorDocument 404 /sbox404/404.php
        ErrorDocument 400 /sbox404/406.php
        ErrorDocument 406 /sbox404/406.php
        ErrorDocument 500 /sbox404/406.php
        ErrorDocument 501 /sbox404/406.php
        Options +ExecCGI
</VirtualHost>

As you can see, mod_php is completely disabled (since it is going to use
the CGI version inside the vhost chroot).

Then you would mount /var/www/example.com/subdomains.aufs/www this way:

mount -t aufs -o \
br:/var/www/sites/example.com/subdomains/www=rw:/path/to/your/template=ro \
none /var/www/sites/example.com/subdomains.aufs/www

You can see how to populate the template over here:
http://git.gplhost.com/gitweb/?p=dtc.git;a=blob;f=admin/create_sbox_bootstrap_copy;h=be51f47c40180079dde1f842f36d3f315e24bd2e;hb=3a2f4c82259e986aac4ed6b91088b5d6c321a72d

and here:
http://git.gplhost.com/gitweb/?p=dtc.git;a=blob;f=admin/update_sbox_bootstrap_copy;h=1e02fb47fc64d802b82956021fac6d8d600c9af5;hb=3a2f4c82259e986aac4ed6b91088b5d6c321a72d

My patch for apache (for the AllowOverrideList support in Apache 2.2) is
available over here:
http://archive.gplhost.com/debian/pool/squeeze/main/a/apache2/

Note that it should be possible to use SBOX together with php-fpm, but I
haven't tried. Also, only php, perl, python and ruby scripts will be
executed by the wrapper, other types of content (image, html, css, etc.)
will use Apache normally, which is great for performances.

Cheers,

Thomas Goirand (zigo)

Reply to:

References:
- advice request for shared hosting and security issue
  - From: Oğuz Yarımtepe <oguzyarimtepe@gmail.com>
- Re: advice request for shared hosting and security issue
  - From: Thomas Goirand <zigo@debian.org>
- Re: advice request for shared hosting and security issue
  - From: Oğuz Yarımtepe <oguzyarimtepe@gmail.com>

Prev by Date: Re: advice request for shared hosting and security issue
Next by Date: Re: advice request for shared hosting and security issue
Previous by thread: Re: advice request for shared hosting and security issue
Index(es):
- Date
- Thread