On Sun, Oct 29, 2006 at 03:20:25PM +0100, Aiko Barz wrote: > Hello, > > I already discussed this subject on the list. There were several > possible solutions for this subject and I have chosen one, I would like > to present now. > > The problem: I have several vhosts, which are used by several people. > The Apache is running with $UID 67. Users can access the system by using > scponly, which is jailed into /var/www. No problem here so far. > This issue was, that all scripts must be readable or even writeable for > the Apache Webserver. So one hacked page could damage other vhosts by > writing some PHP code to access the other vhosts within /var/www. > > My solution: > 1. I made SuExec working within the chroot environment. > (http://www.openbsdsupport.org/ApacheSuexecChroot.html) > 2. I wrote a patch for suexec.c to handle *.php correctly. > (http://files.haeckser.net/haeckser.net/suexec.patch) > 3. I compiled PHP by my own with CGI-support and moved the binary into > the chroot. > 4. I removed mod_php and mod_perl and set the Apache directives "User", > "Group", "AddHandler cgi-script" and "Options +ExecCGI". > > Now, every PHP-script has the permissions 700 and gets executed with its > own $UID. I feel much better now. :)
I believe it is possible to set this up using FastCGI, which will actually be (reasonably?) fast too. Yes, I am a FastCGI fanboy. Joachim