Isolation of virtual servers in apache2 — ugidctl
2 years, 5 months ago
Some time ago I made for myself a solution which allows to isolate processes of apache2 effectively. Now he can process each request on behalf of the system user. Today I want to share this solution.
Here about what the speech:
ServerUserGroup user1 group1
ServerUserGroup user2 group2
At the same time root directories of virtual hosts can be available only to the corresponding users:
# ls -la /var/www
drwxr-xr-x 4 root root 4096 Oct 26 16:10 .
drwxr-xr-x 21 root root 4096 Oct 26 01:13 ..
drwxr-x--- 2 user1 group1 4096 Oct 26 16:10 host1
drwxr-x--- 2 user1 group2 4096 Oct 26 16:10 host2
These are not the next dances with a tambourine vogrug multithreadings, start of processes from a rue, etc. The main idea is in that process independently decided with what rights it needs to process request, took itself these rights, processed, and again returned itself the rights of the main user of apache.
Read more »