On a Gentoo 3.2.12 server with apache2+php
, there are several websites running:
/www
/website1
/website2
...etc
The apache
user should have read-only access to all the websites. There are also a few folders inside each website where apache
should have read-write access (upload folders and the like).
There are several people who work on these websites. Each person should have read-write access to the website(s) they work on, but not others. Also, they should be able to set permissions (within their websites) so that apache
can write to some folders (well, if they create a new upload folder or something).
Other users shouldn't have access to /www
at all.
Can this be done and how?
(PS. Also… since these people can upload PHP scripts which are then executed in the context of Apache, I guess they can access other websites too, indirectly… is it possible to secure this as well? I can't think of a way, but who knows…)
Best Answer
One way would be this:
umask 0002
so the files they create are read/write for the group and readable for others by default.chmod a-rwx
the root directory of each site, to prevent access by people outside the allowed group.setfacl -m user:apache:rx
that directory to grant read access to theapache
user, in addition to the other permissions.As to the files created by the apache process:
sudo
to the apache user. Perhaps only to execute specific commands, e.g. add group write permissions using ACLs.But as you stated, all of the read restrictions can be circumvented if users can run arbitrary scripts as the apache user. To counter that, you could try to have the scripts of one site executed as a specific user in the corresponding group. I believe there is a way to set this up using
mod_fcgid
. Otherwiseapache[suexec]
andphp[cgi]
might work for you.To get even better isolation, you'd have to have multiple apache processes, running as different users, and perhaps even chrooted to different directories. Or in different OpenVZ units, or different Xen domUs, or on different hardware. As you can see, there are a lot of different isolation levels, each providing better isolation than the one before, at the cost of mre resource demands.