Slashdot Mirror

← Back to Stories (view on slashdot.org)

Isolated Apache Virtual Hosts?

Posted by michael on from the playing-in-the-sandbox dept.

An anonymous reader writes: "Anyone ever had to set up virtual hosting on a server that allows CGI execution, etc? This seems to be simple, until you want to keep users out of each other's data. The Apache config seems straightforward enough, but I still haven't figured out the best way to set up the user groups on the box to keep them trapped in their areas and out of each other's business. I thought I could put each user in his own group to block prying eyes on the system side, then add the web user to all the other user's groups allowing him to get to their files, using suexec to prevent one user from using the web server to look at another user's files. This works well, but there seems to be a limit on the number of secondary groups a user can be a member of. So, the web user hits a wall at roughly 16 "customers" or user accounts. Any suggestions on how to improve on this and get beyond the limit? Or is there a better way to approach this than the group/suexec thing? Any pointers to online resources dealing with this type of config would be great..."

2 of 46 comments (clear)

  1. VM servers? by TheLink · · Score: 1, Interesting

    Putting them on physically separate machines is safest (and very expensive), but if the VM implementations are any good, then using VM servers might be a possible solution (not so expensive).

    While in theory you could give each user their own webserver in a single unix/linux machine, as far as I'm concerned once a user has an account on a typical Unix machine they can eventually get root if they want, so you might as well give them their own machine (virtual or otherwise). You can secure each machine reasonably for them at the start but if they want to do silly things hey it's their machine.

    And I figure if the VM implementations are good, you should be able to migrate a user to his/her own physical machine reasonably easily for a higher priced "Gold" service. And more importantly back down again.

    And a platinum service could be one VM on many physical servers!

    --
  2. Big Iron by Eagle7 · · Score: 4, Interesting

    Simple - buy a low end S/390 (sorry - zSeries, stupid IBM marketing), get yourself a VM license, and just give each customer thier own complete Linux box. Maintinence becomes really easy too, and it will never go down.

    Of course, there is a downside - $500,000 for the Iron, and some outrageous license fee for using VM.

    As an aside, I've heard the computer science dept. of one University was going to do this and give each student thier own Linux box to use, as an alternative to shell accounts.

    You can see some Linux on VM/390 screenshots here.

    --
    _sig_ is away