[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suexec permissions

nodata wrote:

Done. chmod o+rx on:
then running a system("touch /tmp/blairtest") from cgi-bin/test.pl creates
a file with bob:bob permissions.

The other thing to check is that your scripts are physically located under
suEXEC's DOC_ROOT (/var/www on Sarge, I think).

They are.



The problem with this setup is that I have to have o+rx permission on
directories and non-executables, which is a little messy (and I'm not sure
whether vsftpd can handle this).
Plus everyone on the machine can now read the files.


Well, to get /proper/ isolation you have to run separate Apache instances... :)

You could try a compromise along the lines of that suggested by Upayavira, except
you hit NGROUPS_MAX as you noted.

Wild Ass Suggestion: If you made each user VirtualHost directory uid <user> gid
www-data, and mode 2750 (note the setgid bit there), and have only Apache in group
www-data, might that not work?  [Am I missing something obvious?]

The biggest problem then is that users can piggyback off Apache's group www-data
access by running scripts.  Perhaps this could be surmounted with suexec, by forcing
scripts to run as the User/Group you specify.  Users might have to manually chgrp
their scripts to their "User Private Group" in this scenario though, which is a

But I should shut up now... I have to defer at this point to someone with more
experience at running large Apache installations.  8-P



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: