[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suexec permissions



nodata wrote:

Done. chmod o+rx on:
 /var/www/bob
 /var/www/bob/htdocs
 /var/www/bob/cgi-bin
then running a system("touch /tmp/blairtest") from cgi-bin/test.pl creates
a file with bob:bob permissions.


The other thing to check is that your scripts are physically located under
suEXEC's DOC_ROOT (/var/www on Sarge, I think).


They are.


Regards,

   Blair.



The problem with this setup is that I have to have o+rx permission on
directories and non-executables, which is a little messy (and I'm not sure
whether vsftpd can handle this).
Plus everyone on the machine can now read the files.

Ack.

Well, to get /proper/ isolation you have to run separate Apache instances... :)

You could try a compromise along the lines of that suggested by Upayavira, except
you hit NGROUPS_MAX as you noted.

Wild Ass Suggestion: If you made each user VirtualHost directory uid <user> gid
www-data, and mode 2750 (note the setgid bit there), and have only Apache in group
www-data, might that not work?  [Am I missing something obvious?]

The biggest problem then is that users can piggyback off Apache's group www-data
access by running scripts.  Perhaps this could be surmounted with suexec, by forcing
scripts to run as the User/Group you specify.  Users might have to manually chgrp
their scripts to their "User Private Group" in this scenario though, which is a
disadvantage.

But I should shut up now... I have to defer at this point to someone with more
experience at running large Apache installations.  8-P

Regards,

    Blair.

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: