Goal: user separation (but apache can't read what suPHP wrote)

Discussion in 'Installation/Configuration' started by berny, Apr 26, 2008.

  1. berny

    berny New Member

    Goal: user separation
    My goal is to achieve user separation such that no user can read files from a different web or vhost, neither through ftp or a shell account. At the same time Apache needs to be able to server all the content it should serve. So ideally all files should be readable by the file-owner only (0400 or 0600).

    Means: suPHP?
    I tried to achieve this through the use of suPHP. I have suPHP configured to run any php-scripts with the user and group it belongs to. suPHP can execute all 0700 files and read and write all 0600 files. Up to here everything is going just as I expect it to.

    Problem: apache2 can't read files
    The problem begins when apache2 comes into play. It can not read any file that is not world-readable. Apache still seems to use it's default UID www-data and it's default GID www-data. Thus it can not read any files that are 0600 or 0640.

    Can apache2 assume a different UID per Vhost?
    I searched the apache2 website and the web and did not find any way to tell apache to take on a specific UID for a given Vhost. Is there a way to do this?

    Help!
    Is there anything I can do to achieve my goal? Maybe I'm trying to achieve the goal of user-separation the wrong way? What is the standard and/or smart way to do this?

    My configuration:

    apache2
    Code:
    zwei:~# apache2 -V
Server version: Apache/2.2.3
Server built:   Jan 27 2008 18:13:21
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT=""
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
    Code:
    zwei:~# cat /etc/apache2/httpd.conf 
LoadModule suphp_module       /usr/lib/apache2/modules/mod_suphp.so
    suPHP
    Code:
    zwei:~# suphp -V
suPHP version 0.6.2
    Code:
    zwei:~# cat /etc/suphp.conf 
[global]
;Path to logfile
logfile=/var/log/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=www-data

;Path all scripts have to be in
docroot=/

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper

;Handler for CGI-scripts
x-suphp-cgi=execute:!self
    Vhosts_ispconfig.conf
    zwei:~# cat /etc/apache2/vhosts/Vhosts_ispconfig.conf
    Code:
    [...]

#
#
######################################
# Vhost: www.domain.de:80
######################################
#
#
<VirtualHost 213.133.108.249:80>
SuexecUserGroup ardan web55
ServerName www.domain.de:80
ServerAdmin [email protected]
DocumentRoot /var/www/web55/web
ServerAlias ardan-heerkens.de
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
Alias  /cgi-bin/ /var/www/web55/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/web55/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
<Directory /var/www/web55/web>
  suPHP_Engine on
  suPHP_UserGroup ardan web55
  AddHandler x-httpd-php .php .php3 .php4 .php5
  suPHP_AddHandler x-httpd-php
  SetEnv php_safe_mode On
</Directory>
Alias /error/ "/var/www/web55/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
</VirtualHost>
     
    berny, Apr 26, 2008
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try to enable suexec under management > server > settings in ISPConfig, but as far as I know it will affect only scripts that were executed.

    the default solution is to make your html pages and images (not the php scripts) world readable as the yshould be accessed trough the web interface anyway. Or you add the apache user to the group of the web, but that can be more insecure as this might make your php scripts also visible to the apache server itself.

    Note: We are all able to read text in the default size.
     
    till, Apr 26, 2008
    #2

Share This Page