[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suexec permissions

>> The problem with this setup is that I have to have o+rx permission on
>> directories and non-executables, which is a little messy (and I'm not
>> sure
>> whether vsftpd can handle this).
>> Plus everyone on the machine can now read the files.
>> Ack.
> Well, to get /proper/ isolation you have to run separate Apache
> instances... :)
> You could try a compromise along the lines of that suggested by Upayavira,
> except
> you hit NGROUPS_MAX as you noted.
> Wild Ass Suggestion: If you made each user VirtualHost directory uid
> <user> gid
> www-data, and mode 2750 (note the setgid bit there), and have only Apache
> in group
> www-data, might that not work?  [Am I missing something obvious?]

I think I'd get an error from suexec complaining about a User/Group mismatch.

> The biggest problem then is that users can piggyback off Apache's group
> www-data
> access by running scripts.  Perhaps this could be surmounted with suexec,
> by forcing
> scripts to run as the User/Group you specify.  Users might have to
> manually chgrp
> their scripts to their "User Private Group" in this scenario though, which
> is a
> disadvantage.
> But I should shut up now... I have to defer at this point to someone with
> more
> experience at running large Apache installations.  8-P
> Regards,
>      Blair.

Anyone? :)

Reply to: