• Welcome to Web Hosting Community Forum for Webmasters - Web hosting Forum.
 

Preventing apache compromise from accessing all sites

Started by gossamer, September 06, 2022, 08:50:30 PM

WordPress Premium Themes


Print
Go Down Pages1
User actions

gossamer

September 06, 2022, 08:50:30 PM Last Edit: September 06, 2022, 08:54:38 PM by gossamer Reason: additional database discussion
I have apache and php-fpm configured on fedora35 and hosting about a dozen joomla websites. My concern is that, should one site compromise result in a shell in the document root as the site owner, they would then have access to other sites on the same server, running under the same apache.

Can this be prevented?

I've set separate php-fpm users and owners of the content for each site, but apache has to be in each group, or itself wouldn't be able to access them.

Can apache and php-fpm be configured to segment access for each domain to only the owner, without allowing access to other domains as part of being in the "apache" group?

Also, once they compromise the domain and obtain a shell as the apache user or site owner, they would then also have access to the site database, if not the database for all of the sites, just by viewing the configuration.php file.


Kailash

#1
September 09, 2022, 03:32:05 PM
Yes, it can access other websites and data using PHP shell code. When you are hosting different website, it is recommended to use the operating system like CloudLinux with CageFS to restrict it. Unless you have such type of restriction, it is possible to access any data and even critical system files like passwd etc.

- Kailash

WordPress Premium Themes


Print
Go Up Pages1
User actions