Account isolation in Hiawatha

8 December 2016, 21:21
Hi Hugo,

We are a small web development business and we offer free hosting for all our clients..

When we started, we decided that it was best to isolate each client (domain) inside their own FreeBSD jail so if a web application get compromised, then it is contained and cannot affect our other clients..

So far, we have 21 jail all running their own webserver and version of php but all sharing 1 common database (also in a jail).

This setup sounded like a good idea at the time but as we are starting to grow, we found a few issue with it and struggling with managing it all...

So the question is this:
Can domain isolation be achieve in hiawatha using
VirtualHost {
WrapCGI =

Wrap = ; /usr/local/www/ ; 80:80
and php-fpm
php_admin_value[open_basedir]      = /usr/local/www:/usr/local/php/7.0/lib/php

Am I correct to think that If I set WrapCGI then the hacker cannot go out of the path specified in cgi-wrapper.conf?

Can you offer any advise on how to run secure web environment?

Thank you
Hugo Leisink
11 December 2016, 13:48
Hiawatha's cgi-wrapper can change the user id of the CGI process, but also place it in a chroot. A chroot is not the same as a jail. Running PHP in a chroot environment requires a copy of all the required PHP files inside each chroot. Quite some work...

The disadvantage of the cgi-wrapper is that it's much slower than FastCGI. You can also try running multiple PHP FastCGI daemons, each with its own user id. But that requires a lot of memory.
This topic has been closed.