Apache and multiple Virtual Hosts best practices

Nifty Hat Mitch mitch48 at sbcglobal.net
Thu Dec 16 22:00:09 UTC 2004


On Fri, Nov 19, 2004 at 06:31:21AM -0800, Eric Wagar wrote:
...
> I have an Apache web server with a few virtual hosts.  The ftp is
> handled by proftpd, and I have multiple users defined.  These users
> have their own uid and gid.  The problem comes when Apache is uid
> apache and need to write to the said directory.
....
> What are the other ways you guys have dealth with this?

My first pass thought on this is that "apache" should
not be able to write to dirs that contain CGI anything.

If so your users can write scripts to bypass your proftp 
access policy and audit trail.

When there is a need for a dir that apache can write to, OK.  Just not
the same set of dirs that your proftpd users can write too.  Give each
virtual host a tmp and var dir and admonish them to keep their
temporary files in their tmp area (see tmpwatch;
/etc/cron.daily/tmpwatch).  The var dir should be for their data that
varies over time under control of apache processes.

This sort of separation can help the sysadmin with backups...

In a virtual host world different virtual host users can install
scripts that look at files other user virtual host user scripts futz
with.  As long at they are not hostile to each other you should be OK.

Some rewrite rules could be used to simplify your user documents and
make all user environments look the same.

Read also about the 't' bit for dir permissions. 

     chmod -t:
       When the sticky bit is set on a directory, files in that
       directory may be unlinked or renamed only by root or their
       owner.  Without the sticky bit, anyone able to write to the
       directory can delete or rename files.  The sticky bit is
       commonly found on directories, such as /tmp, that are
       world-writable.


-- 
	T o m  M i t c h e l l 
	spam unwanted email.
	SPAM, good eats, and a trademark of  Hormel Foods.




More information about the users mailing list