The way I understood it, the main reason moving from Apache to Lightspeed is to have secure shared environment without compromising performance. However, it appears that it cannot be done with Lightspeed, unless I'm doing something wrong. Please let me know whether I’m indeed missing something important. Here is what I've got:
What I’m trying to achieve is to prevent user01 running on domain01.com something simple as test-access-permissions.php :
<?
header('Content-Type: text/plain');
print file_get_contents ('/var/www/site02/db.inc.php');
?>
to view source code of db.inc.php belonging to user02 who is hosting his files on domain2.com
Here is my setup:
Two virtual hosts domain1.com domain2.com with docroots residing on
/var/www/site01 (user01:nobody 750)
/var/www/site02 (user02:nobody 750)
For domain1 and domain 2, respectively
test-access-permissions.php user01:nobody 640
dn.inc.php user02:nobody 640
Litespeed running as nobody:nobody
I created two virtual hosts using web console and changed ‘force gid’ to 90000 which corresponds to
nogroup:x:90000: in /etc/group file
Security settings for both domains are set to
Symbolic Link = Yes
Enable Scripts/ExtApps = Yes
Restrained = Yes
ExtApp Set UID Mode = DocRoot UID
ExtApp Chroot Mode = Virtual Host Root
ExtApp Chroot Path = Not Set
What I expect to see is this: when user01 trying to view files of user02 he should get some kind of ‘permission denied’ error. /var/www/site02 should be readable only to web server and user02 but not accessible by user02 because 'force gid' rule is in place.
But in fact all I need for my setup is for user01 to view files of user02 is to run the above mentioned script.
Please advise.
PS
My ‘Load Apache Configuration’ is set to NO. So I’m not using any Lightspeed capabilities which would help me to utilize existing Apache’s configuration files.
What I’m trying to achieve is to prevent user01 running on domain01.com something simple as test-access-permissions.php :
<?
header('Content-Type: text/plain');
print file_get_contents ('/var/www/site02/db.inc.php');
?>
to view source code of db.inc.php belonging to user02 who is hosting his files on domain2.com
Here is my setup:
Two virtual hosts domain1.com domain2.com with docroots residing on
/var/www/site01 (user01:nobody 750)
/var/www/site02 (user02:nobody 750)
For domain1 and domain 2, respectively
test-access-permissions.php user01:nobody 640
dn.inc.php user02:nobody 640
Litespeed running as nobody:nobody
I created two virtual hosts using web console and changed ‘force gid’ to 90000 which corresponds to
nogroup:x:90000: in /etc/group file
Security settings for both domains are set to
Symbolic Link = Yes
Enable Scripts/ExtApps = Yes
Restrained = Yes
ExtApp Set UID Mode = DocRoot UID
ExtApp Chroot Mode = Virtual Host Root
ExtApp Chroot Path = Not Set
What I expect to see is this: when user01 trying to view files of user02 he should get some kind of ‘permission denied’ error. /var/www/site02 should be readable only to web server and user02 but not accessible by user02 because 'force gid' rule is in place.
But in fact all I need for my setup is for user01 to view files of user02 is to run the above mentioned script.
Please advise.
PS
My ‘Load Apache Configuration’ is set to NO. So I’m not using any Lightspeed capabilities which would help me to utilize existing Apache’s configuration files.
Last edited:
With the original 3.3.24 version I managed to prevent users from accessing files outside their domains and to even lock some users inside their directories, using php_admin_value and open_basedir, as per your suggestion in other post. However, with the new binary and old setup I'm getting some strange results.