[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

privileges problem

Also, stock 2.4.x series kernel limits supplementary groups to 32.  There
would be a per-process penalty for increasing that limit.  You could patch
apache to include the supplemental groups when it forks children (if it does
not do this already..), but overall that is a bad solution.

See NGROUPS in include/linux/limits.h and other lines containing NGROUPS /
NGROUPS_MAX in the source if you want to go ahead with your idea.

If your users' data really can't be world-readable, your remaining option is
to run seperate httpd's for customers with these large privacy concerns.
Note that most of the time, though, your customers just don't want people
copying their whole directory structures and stealing content whole-sale.
This can be accomplished by other means, anyway, but you can give yor
customers some comfort by simply instructing them to set all their
directories with permissions o-r.

Note that CGIs/SSIs will be a security concern for you.  You had better use
suEXEC or something else such that customers cannot execute their CGI
programs as the user/group apache's children run as, if you rely on that for
your privacy/security mechanism...

- jsw

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au]
Sent: Sunday, June 24, 2001 5:02 AM
To: :yegon; debian-isp@lists.debian.org
Subject: Re: privileges problem

On Saturday 23 June 2001 14:40, :yegon wrote:
> while configuring dynamic virtual hosting (with mod_vhost_alias) on a
> new server i ran into this problem
> i create a new group named g(username) for each new virtual web, I set
> all user files to chmod 640 to avoid them to be read by another user
> my apache server runs as www-data so i need to add user www-data to
> each virtual web group to be able to serve its documents

Supplementary groups are only read by login, su, and other programs that
change UID etc.  They can only be changed by a root process so once the
program is running as UID != 0 it can't be changed.

> this all works fine but
> when I create a new virtual web, that means a new group, user and home
> directory and try to access its documents via http I get this error in
> the apache error.log
> is there a way to somehow refresh this info for the running process
> without restarting it?


> do you have another suggestion?

Why do you need to have a separate GID for each web space?  Why not just
have the files owned by the GID for Apache and the UID for the user?

Another solution would be to make all the files owned by the UID of
Apache and the GID of the user and mode 660...

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: