I am trying to set up a dedicated Ruby on Rails server on Debian Sarge,
with Apache 2 and mod_fcgid. There are 2-3 applications on this server,
using virtual hosts. For now, everything works fine.
However, I would like to secure this a little bit more. What I would
like is to prevent one of the web apps to run a shell command to read
one of the other app’s source file, or worse, modify it. With PHP, there
was basedir which did the job if I remember correctly.
So, what I would like is a way to ‘chroot’ all fcgid process from one
app to the app’s directory. Could suexec do the job? I couldn’t find any
tutorial… I don’t really need the fcgid process to be run as a special
user, I just need it to be unable to access what it should not access.
Thank you in advance