I'm trying to secure a webserver, and I'm flooded with information (google) that seems helpful, just not quite, there's always something that makes it not apply to me somehow, like markus1982@linuxquestions on 01-19-2003 12:33PM who's using Apache2...
I would have thought my situation totally run-of-the-mill:
Have RedHat
Have Apache 1.3.27
Have people I know but can't trust
Have to let them continue making websites with PHP and perl and even cgi (though I can cut down on the pure cgi's)
And the question is, what do I do to avoid these people messing with my machine and with each other? There is nothing today
I didn't install the beast and I can't just turn things off for things will stop working...
Isn't this what every ISP out there has for letting their clients make web pages on the ISP's servers?
To compound my problems, I'm good at databases and mail servers and firewalls and scripts and such, but my Apache experience is limited to simple things for one trusted user.
So let's see where I am:
Every user has an UID (though I'd like to do away with that too), uploads with FTP chrooted to /www/userid/. The Apache Docroot of each user's website is at /www/userid/html/, with a ScriptAlias to /www/userid/cgi/. Apache isn't chrooted, would that help? Not against a malicious PHP or cgi going into other peoples4 directories.
PHP safe_mode won't do much good if I manage to do away with UIDs, and won't be possible if I don't, because files created by uploading through PHP will be owned by apache and therefore not accessible, isn't that right?
PHP open_basedir seems to be real gold, I'll use that for PHP, but it won't help for the Perl.
For the Perl, I could use fastcgi and suexec and run everything under the UID, but it won't stop stop people from reading world-readable files and writing in /tmp and browsing other www directories unless I somehow chroot the fastcgi process to the /www/userid/ directory, right? Wouldn't that be a pain since I'd have to have a copy of the perl interpreter and everything for every single user?
If I use suexec for perl, couldn't I also use it for PHP?
On another note, isn't there a warning mode I could use to detect when something would not work using open_basedir, so that I could at least evaluate the number of people impacted by setting that?
I'm probably a bit overwhelmed here. Somebody been through this before?