nodata wrote:
Done. chmod o+rx on:
/var/www/bob
/var/www/bob/htdocs
/var/www/bob/cgi-bin
then running a system("touch /tmp/blairtest") from cgi-bin/test.pl creates
a file with bob:bob permissions.
The other thing to check is that your scripts are physically located under
suEXEC's DOC_ROOT (/var/www on Sarge, I think).
They are.
Regards,
Blair.
The problem with this setup is that I have to have o+rx permission on
directories and non-executables, which is a little messy (and I'm not sure
whether vsftpd can handle this).
Plus everyone on the machine can now read the files.
Ack.
Well, to get /proper/ isolation you have to run separate Apache
instances... :)
You could try a compromise along the lines of that suggested by Upayavira,
except
you hit NGROUPS_MAX as you noted.
Wild Ass Suggestion: If you made each user VirtualHost directory uid <user> gid
www-data, and mode 2750 (note the setgid bit there), and have only Apache in
group
www-data, might that not work? [Am I missing something obvious?]
The biggest problem then is that users can piggyback off Apache's group www-data
access by running scripts. Perhaps this could be surmounted with suexec, by
forcing
scripts to run as the User/Group you specify. Users might have to manually
chgrp
their scripts to their "User Private Group" in this scenario though, which is a
disadvantage.
But I should shut up now... I have to defer at this point to someone with more
experience at running large Apache installations. 8-P
Regards,
Blair.
signature.asc
Description: OpenPGP digital signature
