Done. chmod o+rx on: /var/www/bob /var/www/bob/htdocs /var/www/bob/cgi-bin then running a system("touch /tmp/blairtest") from cgi-bin/test.pl creates a file with bob:bob permissions.
The other thing to check is that your scripts are physically located under suEXEC's DOC_ROOT (/var/www on Sarge, I think).
They are.
Regards,
Blair.
The problem with this setup is that I have to have o+rx permission on directories and non-executables, which is a little messy (and I'm not sure whether vsftpd can handle this). Plus everyone on the machine can now read the files.
Ack.
Well, to get /proper/ isolation you have to run separate Apache instances... :)
You could try a compromise along the lines of that suggested by Upayavira, except you hit NGROUPS_MAX as you noted.
Wild Ass Suggestion: If you made each user VirtualHost directory uid <user> gid www-data, and mode 2750 (note the setgid bit there), and have only Apache in group www-data, might that not work? [Am I missing something obvious?]
The biggest problem then is that users can piggyback off Apache's group www-data access by running scripts. Perhaps this could be surmounted with suexec, by forcing scripts to run as the User/Group you specify. Users might have to manually chgrp their scripts to their "User Private Group" in this scenario though, which is a disadvantage.
But I should shut up now... I have to defer at this point to someone with more experience at running large Apache installations. 8-P
Regards,
Blair.
signature.asc
Description: OpenPGP digital signature