Running separate Apache processes

jariizumi

Here's my situation: I'm running a virtual hosting server, and I want to set the permissions so that only the user can view the source. Of course, whatever that needs to be served must be accessible by Apache, and whatever is accessible by Apache is accessible by PHP and anyone with PHP access can go run
passthru("/home/joe/public_html/secret.php");
and grab anyone's info, which defeats the purpose of lots of security measures.

The solutions recommended by everyone is either to run it as a CGI module and use suEXEC or to run separate processes with different uid's. Now how would you do this? I'm not familiar with starting things this way... and how would the virtual hosting be done if I do this? Apache will default to the default homepage if it's not hosting a particular homepage, so rather than passing a request onto the server that serves that page, it will just serve the default page from there... That is, without using separate IP's...

billford

Check the Apache manual but I don't believe you can run Virtual hosts under separate users with suExec with name based virtual hosting. Again check the manual but I believe that to be correct.

smarlowe

Actually, the manual explicitly covers this, and yes, you CAN run virtual servers with suEXEC, and you can even run PHP as a module under this, so you don't have to use the CGI version.

That's the most secure method, since it allows you to set home directory permissions to 600 so no one else can read your stuff.