Goal: user separation (but apache can't read what suPHP wrote)

Discussion in 'Installation/Configuration' started by berny, Apr 26, 2008.

  1. berny

    berny New Member

    Goal: user separation
    My goal is to achieve user separation such that no user can read files from a different web or vhost, neither through ftp or a shell account. At the same time Apache needs to be able to server all the content it should serve. So ideally all files should be readable by the file-owner only (0400 or 0600).

    Means: suPHP?
    I tried to achieve this through the use of suPHP. I have suPHP configured to run any php-scripts with the user and group it belongs to. suPHP can execute all 0700 files and read and write all 0600 files. Up to here everything is going just as I expect it to.

    Problem: apache2 can't read files
    The problem begins when apache2 comes into play. It can not read any file that is not world-readable. Apache still seems to use it's default UID www-data and it's default GID www-data. Thus it can not read any files that are 0600 or 0640.

    Can apache2 assume a different UID per Vhost?
    I searched the apache2 website and the web and did not find any way to tell apache to take on a specific UID for a given Vhost. Is there a way to do this?

    Help!
    Is there anything I can do to achieve my goal? Maybe I'm trying to achieve the goal of user-separation the wrong way? What is the standard and/or smart way to do this?

    My configuration:

    apache2
    Code:
    zwei:~# apache2 -V
    Server version: Apache/2.2.3
    Server built:   Jan 27 2008 18:13:21
    Server's Module Magic Number: 20051115:3
    Server loaded:  APR 1.2.7, APR-Util 1.2.7
    Compiled using: APR 1.2.7, APR-Util 1.2.7
    Architecture:   32-bit
    Server MPM:     Prefork
      threaded:     no
        forked:     yes (variable process count)
    Server compiled with....
     -D APACHE_MPM_DIR="server/mpm/prefork"
     -D APR_HAS_SENDFILE
     -D APR_HAS_MMAP
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D APR_USE_SYSVSEM_SERIALIZE
     -D APR_USE_PTHREAD_SERIALIZE
     -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
     -D APR_HAS_OTHER_CHILD
     -D AP_HAVE_RELIABLE_PIPED_LOGS
     -D DYNAMIC_MODULE_LIMIT=128
     -D HTTPD_ROOT=""
     -D SUEXEC_BIN="/usr/lib/apache2/suexec"
     -D DEFAULT_PIDLOG="/var/run/apache2.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
     -D DEFAULT_ERRORLOG="logs/error_log"
     -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
     -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
    Code:
    zwei:~# cat /etc/apache2/httpd.conf 
    LoadModule suphp_module       /usr/lib/apache2/modules/mod_suphp.so
    suPHP
    Code:
    zwei:~# suphp -V
    suPHP version 0.6.2
    Code:
    zwei:~# cat /etc/suphp.conf 
    [global]
    ;Path to logfile
    logfile=/var/log/suphp.log
    
    ;Loglevel
    loglevel=info
    
    ;User Apache is running as
    webserver_user=www-data
    
    ;Path all scripts have to be in
    docroot=/
    
    ;Path to chroot() to before executing script
    ;chroot=/mychroot
    
    ; Security options
    allow_file_group_writeable=true
    allow_file_others_writeable=false
    allow_directory_group_writeable=true
    allow_directory_others_writeable=false
    
    ;Check wheter script is within DOCUMENT_ROOT
    check_vhost_docroot=true
    
    ;Send minor error messages to browser
    errors_to_browser=false
    
    ;PATH environment variable
    env_path=/bin:/usr/bin
    
    ;Umask to set, specify in octal notation
    umask=0077
    
    ; Minimum UID
    min_uid=100
    
    ; Minimum GID
    min_gid=100
    
    [handlers]
    ;Handler for php-scripts
    x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper
    
    ;Handler for CGI-scripts
    x-suphp-cgi=execute:!self
    Vhosts_ispconfig.conf
    zwei:~# cat /etc/apache2/vhosts/Vhosts_ispconfig.conf
    Code:
    [...]
    
    #
    #
    ######################################
    # Vhost: www.domain.de:80
    ######################################
    #
    #
    <VirtualHost 213.133.108.249:80>
    SuexecUserGroup ardan web55
    ServerName www.domain.de:80
    ServerAdmin webmaster@domain.de
    DocumentRoot /var/www/web55/web
    ServerAlias ardan-heerkens.de
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
    Alias  /cgi-bin/ /var/www/web55/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web55/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Directory /var/www/web55/web>
      suPHP_Engine on
      suPHP_UserGroup ardan web55
      AddHandler x-httpd-php .php .php3 .php4 .php5
      suPHP_AddHandler x-httpd-php
      SetEnv php_safe_mode On
    </Directory>
    Alias /error/ "/var/www/web55/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
    </VirtualHost>
    
     
  2. till

    till Super Moderator

    You can try to enable suexec under management > server > settings in ISPConfig, but as far as I know it will affect only scripts that were executed.

    the default solution is to make your html pages and images (not the php scripts) world readable as the yshould be accessed trough the web interface anyway. Or you add the apache user to the group of the web, but that can be more insecure as this might make your php scripts also visible to the apache server itself.

    Note: We are all able to read text in the default size.
     

Share This Page