Apache2 virtual users and Chroot?

Discussion in 'Server Operation' started by snowfly, Nov 13, 2009.

  1. snowfly

    snowfly Member

    Anyone know if its possible to use virtual users (and virtualhosts) and chroot?

    Currently I run multiple sites, using apache2, all under the same user (www-data).
    And each virtualhost has:
    php_admin_value open_basedir /xx/yy/user/zz

    This is great for stopping users running php code on their site to try and read/write to other files outside their basedir.

    BUT.... There is a big BUT....
    This does not stop users uploading perl scripts (or similar), which can run, and of course read/write to files outside basedir, as the open_basedir is only for php scripts.

    So in any perl, cgi, or whatever scripts, the user could potentionally cause major issues by running system commands that read, edit, or delete other files that exist under other virtualhosts!

    So is it possible to run some sort of chroot inside each VirtualHost?
    I looked at mod_chroot, but doesn't look possible.

    Any suggestions?

    Ideally I would like to stay using virtual users, instead of going down the path of creating system users for each site, normal apache chroot, etc.


Share This Page