joerg

Hi,

actually I try to make my webserver-installation more secure. I've
something in mind, but don't know if it is possible and if so, how to do
it ;-)

Actually I have the following config:

Directory-Structure:

/var/www
domain1
conf
cgi-bin
web
htdocs
logs
domain2


I've installed mod_fastcgi in apache and uses suexec.
In each /var/www/domainx/cgi-bin I have a php-fcgi-starter-file, which
starts /usr/bin/php5-cgi.

Actually I see the following problem: I can run each "domain" under a
different user, but the developer within each "domain" can program
php-code to at least VIEW a lot of other things outside the
domain-directory.

Now I thought about the following:
If I can create a chroot-jail within /var/www/domainx/web and let
php5-cgi be executed within this chroot-jail, the developers would only
see there own directory structure like
var/www/domain1/web
etc
bin
usr
home

What I've get so far is, that I've created a chroot jail within the
web-directory. I can chroot to there and execute php (I used "jailer",
for this).

But I don't get it to work that mod_fastcgi starts the chroot-jail.

I googled a lot, but only found howtos and tutorials how to put the
complete apache into a jail, but this is not what I want. Each domain
have to be in its own jail.

Can someone help me / point me in the right direction?


Thanks in advance

Joerg Schoppet

jochem

hi Joerg,

not a solution but the open_basedir ini setting on a per Vhost
setting may offer a [partial] work around

joerg

Hi Jochem,


Joerg
Jochem Maas wrote:

joerg

Hi,

no more tips for this problem?


Joerg Schoppet

frank.arensmeier

Maybe the Apache mailing list is a better place to ask.

http://httpd.apache.org/userslist.html

//frank

16 nov 2007 kl. 12.20 skrev Joerg Schoppet: