mod_nsjail is an Apache module, based on mod_ruid2, to allow for an Apache process to run entirely within a namespaced environment, taking advantage of Linux namespaces to provide a greater (theoretical) level of security, similar in practice to how containerization products, such as LXC or Docker, do so.
- download and install latest libcap from here
- run
/apachedir/bin/apxs -a -i -l cap -c mod_nsjail.c - configure httpd.conf
- restart apache
NsJailEnableSetUidGid <On|Off> - Enable or disable setting UID/GID for location.
RUidGid user|#uid group|#gid - when RMode is config, set to this uid and gid
RMinUidGid user|#uid group|#gid - when uid/gid is < than min uid/gid set to default uid/gid
RDefaultUidGid user|#uid group|#gid
RGroups group1 group2 - additional groups set via setgroups
@none - clear all previous defined groups.
RDocumentChrRoot - Set chroot directory and the document root inside
LoadModule nsjail_module modules/mod_nsjail.so
User apache
Group apache
RGroups apachetmp
RDocumentChRoot /home /example.com/public_html
NameVirtualHost 192.168.0.1
<VirtualHost example.com>
ServerAdmin webmaster@example.com
RDocumentChRoot /home /example.com/public_html
ServerName example.com
ServerAlias www.example.com
RUidGid user1 group1
RGroups apachetmp
<Directory /home/example.com/public_html/dir/test>
RUidGid user2 group2
RGroups groups1
</Directory>
<Directory /home/example.com/public_html/dir/test/123>
RUidGid user3 group3
</Directory>
<Location /yustadir>
RUidGid user4 user4
RGroups groups4
</Location>
</VirtualHost>
<VirtualHost example.net>
ServerAdmin webmaster@example.net
DocumentRoot /home/example.net/public_html
ServerName example.net
ServerAlias www.example.net
</VirtualHost>