hello, On Fri, Aug 01, 2003 at 10:00:27AM +0900, Nathan Ollerenshaw wrote: > The apache daemon runs as a "www" user and group, and everyone domain > has a unique userid and groupid assigned to it. The apache daemon runs > in a chroot. (Therefore, the /etc/passwd and /etc/group entries for > user sites only exist in the chroot - so that CGIs will work correctly). > > This works fine, however it has some flaws. > > Currently, permissions on the customer directories need to be lax > enough for the apache daemon to read the files. This means at least 771 > for the docroot (which disables multi). > > What I would LIKE is to have all permissions on customer files and > directories to be 700 or 600 respectively (except for executable CGIs > of course). I have a similar setup on my servers and I use POSIX ACLs (http://acl.bestbits.at/) to get finer filesystem permissions. the permissions for customer files are 700/600. then I manupulate the acl to grant www-data read access for the files. root@web3:/sites/domainuid# getfacl -m u:www-data:r-x htdocs root@web3:/sites/domainuid# getfacl htdocs/ # file: htdocs # owner: domainuid # group: domaingid user::rwx user:www-data:r-x group::r-x mask::r-x other::--- you can also have default acls, so all new files below this directory will inherit this permissions. but the best thing for this case would be to migrate to apache2-mpm-perchild, if it ever becomes stable :-) regards buz -- This is a free country. You have a right to send me email, and I have a right not to read them! GnuPG Fingerprint: 2FFF FC48 C7DF 1EA0 00A0 FD53 8C35 FD2E 6908 7B82
Attachment:
pgpkvn7i3RMA8.pgp
Description: PGP signature