Re: suexec permissions
>> The problem with this setup is that I have to have o+rx permission on
>> directories and non-executables, which is a little messy (and I'm not
>> sure
>> whether vsftpd can handle this).
>> Plus everyone on the machine can now read the files.
>>
>> Ack.
>
> Well, to get /proper/ isolation you have to run separate Apache
> instances... :)
>
> You could try a compromise along the lines of that suggested by Upayavira,
> except
> you hit NGROUPS_MAX as you noted.
>
> Wild Ass Suggestion: If you made each user VirtualHost directory uid
> <user> gid
> www-data, and mode 2750 (note the setgid bit there), and have only Apache
> in group
> www-data, might that not work? [Am I missing something obvious?]
I think I'd get an error from suexec complaining about a User/Group mismatch.
> The biggest problem then is that users can piggyback off Apache's group
> www-data
> access by running scripts. Perhaps this could be surmounted with suexec,
> by forcing
> scripts to run as the User/Group you specify. Users might have to
> manually chgrp
> their scripts to their "User Private Group" in this scenario though, which
> is a
> disadvantage.
>
> But I should shut up now... I have to defer at this point to someone with
> more
> experience at running large Apache installations. 8-P
>
> Regards,
>
> Blair.
>
>
Anyone? :)
Reply to: