[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: users in apache

On Mon, Apr 08, 2002 at 07:23:47PM +0200, Michal Novotny wrote:
> Is it possible to run/switch apache to user defined by User directive?
> Situation:
> Apache running www-data.www-data
> In home dirs users have their data (html etc.) with permission 600 and
> with user.www-data
> Now it is not possible to get any html (permission denied) ofcourse,
> because of permissions, but I don't want to set it 660, because then
> other user in that group can read/overwrite data/htmls.

all files to be served by apache *MUST* be readable by user and/or group
www-data.  all directories in the path to the files *MUST* be readable
and executable by user and/or group www-data.

this means that they should either be owned by www-data and at least
mode 400 (or 500 for directories), or they should be in group www-data
and at least 440 (or 550 for directories).  alternatively, files must be
world-readable and directories must be world readable & executable.

the default is for files to be owned by the user, and mode 644 and for
directories to be owned by the user and mode 755.

you don't have any choice in this.  if you want to serve pages, then the
pages must be accessible by the apache process.  or, to put it another
way, apache can't serve a file it doesn't have permission to access.

for CGI scripts, you can use suexec (comes with apache) or cgiwrap
(separate package) or similar program to make the script run as a
particular user.  as a security precaution, both suexec and cgiwrap have
quite strict policies on what they will run...but cgiwrap is more


craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: