Securing Apache on a linux server for safely hosting multiple users running php scores about a 9.9 on the complexity scale.
I’m not going to explain all the steps, but these are the things you’ll have to accomplish. I’m using Debian Lenny.
These steps refer to a user gordonc in the group gordonc.
Apache runs as user www-data in the group www-data.
- You’re going to need to install FastCGI and suExec support.
- You’re going to need to modify the source code for suexec-custom.c in the Apache source tree, compile it, and install the new copy of /usr/src/apache2/support/suexec-custom over /usr/lib/apache2/suexec in order to allow suexec to operate in a directory where the group permission does not match the user’s primary group. See the code to modify at the bottom of this post. When you do the ./configure on the Apache2 source, you’re going to have to specify an option to tell it where the suexec.log file lives.
- Your VirtualHosts will need to SuExecUserGroup gordonc gordonc so that CGI scripts will run in the user context of the owner of the site. The FastCGI module in Apache will create one or more processes to run the scripts and keep the processes running for a while in case they’re used again. This is the reason the CGI is fast — no need to start a new process for every page load.
- The directory for the user’s site must be a directory below the default site’s directory. This is a security imposed by suEXEC.
- The site’s directory should be owned by the user gordonc and the group www-data.
- The site’s directory must have the “set group” permission for the group. (see below)
- The site’s directory should not have any read nor execute privileges for other users.
- You’ll want to add umask 0027 to /etc/apache2/envvars to set the default umask for file creation in the process (so files created by php will be protected from other users by default).
- You’ll probably want to define the upload_tmp_dir for php so that it’s a directory that also has setguid. You can do that in your php5-fcgi script:
exec /usr/bin/php5-cgi –define upload_tmp_dir=`pwd`/tmp
You can see the permissions set as described in the graphic above.
This accomplishes:
- Apache can read the files it needs to read because all the files are readable by the www-data group.
- Php running under suEXEC can read files and create files running as the user gordonc.
- Any new files created (using php or uploaded by FTP, whatever) are automatically set to the correct group permission so everything keeps working. (see below)
- Since the php scripts run as the user and the user runs in his own group, php cannot be used to read other user php scripts (which may contain sensitive information, for instance WordPress stores mysql username and password in php).
Hopefully this will help you find what you need. Just Google Apache FastCGI and that will get you started.
Instead of using sticky set group on the directories, you can just put the apache user into the same group as the user under which php runs for the site. So, I would run this command to add my www-data user to the group gordonc:
usermod -a -G gordonc www-data
Then you don’t have to worry about it. Wow!! It only took me a year to get up to speed on this. 🙂
usermod -a -G gordonc www-data
Then you don’t have to worry about it. Wow!! It only took me a year to get up to speed on this. 🙂
Leave a Reply