Re: [d-security] Apache Virtual Hosts Chroot ?

To: debian-isp <debian-isp@lists.netways.de>
Cc: debian-isp@lists.debian.org, debian-security@lists.debian.org
Subject: Re: [d-security] Apache Virtual Hosts Chroot ?
From: Christian Hammers <ch@debian.org>
Date: Tue, 25 Feb 2003 10:49:01 +0100
Message-id: <[🔎] 20030225094901.GA16147@westend.com>
Mail-followup-to: Christian Hammers <ch@debian.org>, debian-isp <debian-isp@lists.netways.de>, debian-isp@lists.debian.org, debian-security@lists.debian.org
In-reply-to: <[🔎] 3626546DC152134382A0A029C29365C6013931@net-mail.int.netways.de>
References: <[🔎] 3626546DC152134382A0A029C29365C6013931@net-mail.int.netways.de>

Hello

On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote:
> - chrooting virtual hosts in apache ? 

We had great success with a tiny tool called sbox. All CGI/PHP requests
are rewritten to "/cgi-bin/sbox?..." This sbox then looks
to the files owner and changes it's uid to the one (if it's !=0). 
It also chroot's to the DocumentRoot.

As PHP is run as CGI as well, everything except plain .html is executed with 
the uid of the ftp root's owner.
This is by far the most secure (PHP-capable) setup I know. Except
user-mode-linux maybe :)

Some limitations: 
 - .shtml and some .htaccess options are not allowed though, but you can
   live without.
 - PHP will be slower of course but fast hardware is cheap enough.

bye,

-christian-

P.S.: Look at the archives, we had this discussion some times now..

Reply to:

References:
- Apache Virtual Hosts Chroot ?
  - From: "debian-isp" <debian-isp@lists.netways.de>

Prev by Date: Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
Next by Date: Re: Apache Virtual Hosts Chroot ?
Previous by thread: Apache Virtual Hosts Chroot ?
Next by thread: Re: Apache Virtual Hosts Chroot ?
Index(es):
- Date
- Thread