0

I am running some Wordpress blogs for friends/family on a linux box and I would like to prevent the compromise of one from being able to inflict damage to all. It hasn't happened yet, but one of the bloggers installs every add-in and theme she can find, one of them will inevitably contain a vulnerability--it's just a matter of time.

I am using the stock Amazon Linux Apache/PHP install so I basically have a bunch of preforked apache processes all running as the same user and the application directories are all owned by www-data. What I would prefer is for all installations to run as different users, but I would like to avoid having to dork with FastCGI. Is it possible to be isolate in that manner when using mod_php?

Edit: If there is a solution to that problem that doesn't involve separate uses for each directory, I am also fine with that. Any technique that works will be appreciated.

Improve this question

2 Answers 2

Reset to default
1

Virtual Machines are the key. Separate everybody or everything in it's own VM.

Improve this answer
2
  • These websites aren't busy enough to warrant that, would appreciate another solution. I just need to isolate them to a reasonable degree. Commented Dec 3, 2011 at 19:06
  • @Joel This is like "I want ice cream but not too cold". Either you want isolation or not. You are already afraid of compromising the machine. A compromised machine affects all websites independent of their theoretical isolation. Commented Dec 4, 2011 at 11:43
0

Yes it is possible. If you don't mind the speed hit, you can use MPM ITK to run each Apache as its own user (you'll need to set the proper filesystem ownership and permissions on each site's main directory so that other users can't get into it). That will allow you to still use mod_php. Be sure to read the "Quirks and Warnings" section on its homepage though (http://mpm-itk.sesse.net/) and make sure the pros outweigh the cons in your case.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.