I needed to secure websites on a FreeBSD server to stop ‘cross site contamination’, i.e. stopping virtualhost #1 modifying/reading data within virtualhost #2. In FreeBSD the solution (or at least one solution) appears to be apache22-itk-mpm.
Step 1. Install the port (I just accepted all the defaults)
# cd /usr/ports/www/apache22-itk-mpm # make install
Step 2. restart Apache
# service apache22 restart
Step 3. Modify your VirtualHost stanzas adding:
<IfModule mpm_itk_module> AssignUserId <user> <group> </IfModule>
So when you re-start Apache, the apache processes all appear to be owned by root to allow the setUID process to work. If you do not specify an ‘AssignedUserID’ then the apache default is used.
The last think to do is to rest the permissions of the user site in question. In order to stop other sites (including unassigned sites) reading the data I’ve use a very restrictive set of permissions. When you have moved to the web root for the VirtualHost:
find ./ -type d -exec chmod 700 {} \;
find ./ -type f -exec chmod 600 {} \;
I have some .cgi pages in some sites so once i had hosed all of the file permission i needed to make cgi scripts executable again but only by the owner:
find ./ -name \*cgi -exec chmod 0700 {} \;
I have read that there are some issues with cgi-bin directories which are really links, but if i run up against any issues, I’ll update the post.
