Apache Security Issue with VirtualHosts

Question

I have setup Apache 2.2+php 5.3.3 on CentOS 6.6 and are running virtual hosts with their document roots setup like /var/www/domainFoldername and their virtual hosts configuration in httpd.conf like:

<VirtualHost IP:80> ServerName www.example.com:80 ServerAdmin [email protected] DocumentRoot /var/www/ExampleFolder/web ServerAlias example.com ServerAlias *.example.com RewriteEngine on RewriteCond %{HTTP_HOST} !^www.example.com$ RewriteCond %{HTTP_HOST} ^(.*).example.com$ DirectoryIndex index.html index.htm index.php ErrorLog /var/www/ExampleFolder/log/error.log TransferLog /var/www/ExampleFolder/log/access.log AddType application/x-httpd-php .php php_admin_flag safe_mode Off ErrorDocument 400 /error/invalidSyntax.html ErrorDocument 401 /error/authorizationRequired.html ErrorDocument 402 /error/forbidden.html ErrorDocument 403 /error/forbidden.html ErrorDocument 404 /404.php ErrorDocument 405 /error/methodNotAllowed.html ErrorDocument 500 /error/internalServerError.html ErrorDocument 503 /error/overloaded.html </VirtualHost> 

I am also using ACLs and have given apache write access to /var/www for file uploading permission issues through script. Problem I am facing is of security. I can run a script from the domain example.com and have it access files that exist in another domain's directory. I would think that scripts belonging to the domain example.com should only be able to access files within /var/www/example/, not within /var/www/someotherdomain. So, currently its very insecure and I want to secure these things.

Answer 1

You need to have Apache run scripts as different Linux user accounts based on which VirtualHost is being accessed. There are multiple solutions to this, for example suPHP, suEXEC, and others. Be sure you're not trying to run PHP as an Apache module (i.e. mod_php) because then it will run as the Apache user which has permission to any user's directory. Then you just need to make sure that each VirtualHost's user account can't access the other VirtualHosts' directories and only Apache's user account is able to.

To isolate things further if you wanted each Apache VirtualHost to run as its own user and not just scripts, you can use something like MPM ITK (though at the expense of speed and also trading off for some other security concerns as mentioned on the "Quirks and Warnings" section of its homepage).

You may want to check out CloudLinux (I think you can do an in-place upgrade of CentOS to it), and its CageFS and mod_lsapi offerings as the combination of those two offer good security and performance.

Another note is make sure you implement symlink attack protection to prevent one site from reading the files from the other via an Apache trick (CloudLinux has a kernel modification which provides protection against this, and there are other solutions as well such as disallowing FollowSymLinks altogether - see https://documentation.cpanel.net/display/EA/Symlink+Race+Condition+Protection if you want to read more about various approaches).