In setting up a hosting environment with multiple sites that should be isolated from each other, I did the obvious step of having PHP be configured so it runs as the user that's associated with each website rather than as the Apache user, but is there some way to be sure there's no way that one site can run a script written in some other language (e.g. Python) as the Apache user? I've seen clever attacks like the symlink attack which uses .htaccess rules and a symlink to trick Apache into serving PHP files from other websites as plaintext (this isn't related to the question, just an example), and since I'm not very familiar with the setup of server-side languages other than PHP, I didn't know what to check and/or prohibit such as via the Apache conf file in order to make sure scripts written in other languages can't be run as the Apache user.
For example, even though PHP is set to run as the website user, if a website got hacked, could the hacker create an .htaccess file which sets .abc files to run as Perl scripts and if things aren't configured properly on the server, then those run as the Apache user?
What's the best way to approach this?
So your main concern is that compromised one account cannot do anything bad to other accounts.
PHP and file permissions
If PHP is configured to run as different user for each domain, then your directories should set-up such that it doesn't have write access to anything outside its own domain. Then using PHP (or any other commands invoked via PHP) it can't do any harm to rest of the server.
Best practice is to have the scripts be owned by user1, but PHP to run under user2. For customer access, FTP should be configured for user1. User2 should be given write access only to specific directories where really needed (cache dir, generating thumbnails, file uploads via PHP).
But many people start to install Wordpress and other CMS, don't know what to do and give write access to everything (then badly written CMS plugin can compromise all php scripts for that domain). Wordpress and other CMS nowadays support install/upgrade even without write permissions for the PHP process (they just ask for FTP login and automatically use it).
Another best practice is to block direct web access to those directories where user2 has write access. File uploads should be checked by your script, and only if valid, moved to directory accessible from outside (otherwise someone can upload PHP script instead of JPG image and could fool your webserver to execute it).
Apache
Use Apache's
AllowOverride Nonedirective to disable usage of the.htaccessfile, so that attackes cannot configure running of other CGI scripts. Apache should have only read access to the served files (PHP config files containing passwords don't need read permissions for Apache). With.htaccessdisabled, user has no means of changing the Apache configuration.Use
Options -FollowSymLinks(or-SymLinksIfOwnerMatch) to prevent the symlink "attack".Install
mod_securityto watch for suspicious activity and block hacking attemps like SQL injection.EDIT: If
.htaccessis needed, you need to decide what options your hosting will support and enable only those. Examples of commonly used options which are safe include (list them inAllowOverride):Deny from alldirective to deny access to part of the dirs)FollowSymLinks, but it seems it works also with this one); besides mod_rewrite use, Apache would only follow the symlink if the destination file/dir is owner by the same user as the symlink itself.From reading http://httpd.apache.org/docs/2.4/misc/security_tips.html it appears that if suexec is being used properly, then CGI scripts being executed as the Apache user should not be a concern as they will get executed under the user defined by the suexec directives instead.