mailing list archives
Re: Unix Permissions: Using groups to isolate users from webserver
From: lits <lists () innocence-lost net>
Date: Thu, 2 Dec 2004 11:32:02 -0700 (MST)
four points to be made:
Special note: Use of this directive in <VirtualHost> requires a properly
configured suEXEC wrapper. When used inside a <VirtualHost> in this manner, only
the user that CGIs are run as is affected. Non-CGI requests are still processed
with the user specified in the main User directive.
However, without the aid of another bug in apache- one cannot view the
files from virtual host X from virtual host Y (unless of course virtual
host Y exists inside of X).
You are absolutely right -- this is what I tried to explain. Note that this
also means that no acl's can help you.
rsbac (rsbac.org) has an extension of sorts that allows one to use role
based acl's with apache, thus eliminating all of 'those' problems, the
downside is that a new child is spawned for each request _because_ of the
fact you cannot switch roles back, acl's can help here. ACL's would stop
the 'inheriting' of parent priv's, especially role based acl's.
PHP can be run as apache module (that is inside apache) which makes suexec
impossible or you can install it separately and make your PHP scripts usual unix
scripts: start them with
and chmod +x them.
Assuming Linux, you can enable misc binary formats in the kernel, then
register php scripts with the kernel and you won't need to edit every php
script or force all of your users to do so. They will however, require +x
permissions, as all CGI's do.
As for running a apache process per user, doesn't that get cumbersom if you
start having alot of users?
It is not that cumbersome if you use Apache 2:
I am not incredibly familar with apache 2, but a couple notes on the
subject- i wouldnt run apache 2 just out of security concerns (compare the
number of advisories), but regardless of how the user space does things,
forking hundreds/thousands of processes a second will be expensive
regardless of what userland does. The best you could hope for here is that
the child doesn't write to any memory (unlikely) and thus avoid's
allocating a clean address space, because thats kinda unlikely, its