Re: shared hosts and MP2 security

[prev] [thread] [next] [Date index for 2004/12/23]

Nick *** wrote:
> Let's assume that I have a web server with 50 virtual hosts. This web server is apache2 running as user nobody and has php installed. I've set php's OPEN_BASEDIR option for every VHost, so I can restrict the users' IO access outside their directories. Now I want to install MP2 on the same server. I am setting a different interpreter pool for  every VHost. And now how do I make sure that VHost1 user doesn't open($file, "<", "/www/VHost2/mysql_user_and_pass.pl").

You basically can't.

What you really want is running different vhosts under different user 
accounts, and that's what the Apache2-bundled perchild MPM was meant for, 
but that was never finished. There's also the metux MPM project which was 
meant to replace the perchild MPM, but that project seems to be mostly dead, 
too. Which is a pity, since this means one less major feature that might 
have made users switch to Apache2.

I don't know what exactly PHP tries to do with open_basedir, but I don't 
believe that it can achieve real security separation without using real user 
accounts (and a quick web search confirms that).

        -- 
        Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html