[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache/PHP/FTP and user rights

(oops, sent it directly to nicolas instead of the list - resent to the list
for other people's benefit)

I resigned myself to using cgi-php, mainly because I didn't want users
scripts running as the webserver (somewhat of a security risk as then all
files readable by the webserver become readable to users php scripts), but
also to solve the problem of user's files not belonging to them.

My install requires each user to have a copy of the interpreter in their own
website's cgi-bin, under /www/<their-site-url/cgi-bin - It does mean 2.4mb
or so used by each user, but I just credit them the extra quota, and really,
2.4mb isnt so much these days.

To change the path you're allowed to use suexec on (because I don't believe
you actually use /var/www - do you?) simply recompile it with the different
path, and drop it into apache's lib directory. Don't forget to back up your
new suexec when you upgrade apache, because apache will overwrite it again!

If you need more detailed directives on recompiling suexec for an
alternative path let me know and I'll dig the info out.


Phillip Baker
LC Host Administrator

----- Original Message -----
From: <nbougues-listes@axialys.net>
To: <debian-isp@lists.debian.org>
Sent: Thursday, August 01, 2002 2:40 PM
Subject: Apache/PHP/FTP and user rights

> Dear all,
> I'm facing a problem I thought would be fairly easy to deal with, but
> haven't found a proper solution. Here it is :
> We have a web werver hosting a few tens of customers using
> VirtualHosts. We have mod_php and use FTP for updates, each customer
> having its own UID.
> Thus :
> - customers files are uploaded with user.user rights.
> - Apache runs as www-data.www-data
> The problem is that with that kind of setup, Apache can't create files
> in dirs owned by user.user. Even by switching files from user.user to
> user.www-data, if a file is created by Apache it won't be deletable by
> FTP.
> What we consider the "right" solution would be to have Apache run as
> user.user in each virtual host. This seems to be doable with
> User/Group directives. Unfortunatly :
> - mod_php doesn't honor that
> - using a CGI php requires the use of suEXEC, which in turn requires
>   that the php4 parser be installed in /var/www (hardcoded
>   documentroot) and that it belongs to user.user, which is quite
>   annoying.
> I tend to think that what I want to do is not something quite
> unusual. Maybe I missed a straightforward point somewhere. I hope
> somebody will be able to point me to the right direction.
> --
> Nicolas Bougues
> Axialys Interactive
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact

Reply to: