[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Default Apache install not fit for multiple domains/users

> I want to enable some friends of mine to host their web pages on my
> woody server. It has Apache LAMP running in great shape and it suits my
> Web page just fine. The Problem that I have now is, that the apache user
> is www-data. Well, I guessed I could just change the user permissions on
> the /var/www/<path.to.site> directories to the respective user names,
> but that doesnt do the trick, because then, all write permissions for
> cgi scripts for these diretories are gone, as they no longer belong to
> www-data.

maybe you can try what i've used , which basically is :

#1 - mod_diffprivs
this apache module enables apache to switch uid/gid when serving virtual
hosts . each virtual host is effectively served as the owner .

take for example this vhost snippet :

<VirtualHost *>
        DocumentRoot -(removed)-
        ServerName gum.doubleukay.com

        Privs hata hata
        PrivsGroups On

when a request is sent for gum.doubleukay.com , its php/cgi scripts will
create/read files and execute commands as user hata and group hata .

#2 - ERUP (enhanced regular user privileges)
and this one lets me grant the apache user (www-data) privilege to perform
uid/gid switching , so that i dont have to run apache as root .

there's a few performance-related issues with the above setup though . HTTP
keepalives and pipelining have to be disabled because once an apache child
switches uid , it cant switch back to www-data and serve subsequent requests
. the clients would notice a definite 'lag' in page loading as a new
connection would have to be open to the http server for each element . the
server would also undergo load problems as new children would have to be
forked for each http request . however , there is a way to reduce this
problem :)

wK (www.doubleukay.com)

Reply to: