On Sat, Jan 20, 2007 at 11:15:38PM -0800, Peter Michaux wrote: > In my apache2.conf file I have the user and group directives which are > fairly self explanatory. > > User www-data > Group www-data > > When apache tries to serve a file it must have permission to access > that file. Apache will have permission because either the "www-data" > user has permission to access that file or group "www-data" has > permission. How does the permission checking occur? When the apache > process starts does it tell the os it's user and group and then the os > knows when apache tries to access a file? Apache forks new processes which change their effective UID and GID to match what you put in the directives above. The OS does not need to know anything special as it just sees a given process try to do something. > Why is it I can set the group to one that the user does not belong? > Shouldn't there be an error when an application is identifying itself > as a user and group that don't go together? Or when accessing a file > the os simply checks in sequence the user permission and then the > group permission if necessary and no process ever checks if apache's > user and group go together? root can do things that sometimes do not make sense. :) > I can also comment out the group directive altogether. The default > value of the group directive in apache is "#-1". There is no group > with id -1 on my computer. "Don't do that then" :) There is no group id -1, but it wraps around to 65534 by convention, which you will see is "nogroup". > How can I determine which group apache is > running in? ps awux | grep httpd ?? > I can understand how the #apache people say these are generic > application file access permission questions. I hope someone can shed > some light on how this works. Hopefully you understand now that root can switch the effective UID/GID of a process it forks to that of any other user/group and thus the questions as to whether the process can do soemthing with/to a file is a generic one. Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting Encrypted mail welcome - keyid 0x604DE5DB
Attachment:
signature.asc
Description: Digital signature