The following reply was made to PR suexec/946; it has been noted by GNATS. From: Marc Slemko <[EMAIL PROTECTED]> To: Ronny Cook <[EMAIL PROTECTED]> Subject: Re: suexec/946: The "User" directive fails for virtual hosts where the user differs from that for the main server. Date: Sun, 3 Aug 1997 21:12:23 -0600 (MDT)
On Mon, 4 Aug 1997, Ronny Cook wrote: > > Date: Sat, 2 Aug 1997 14:14:38 -0600 (MDT) > > From: Marc Slemko <[EMAIL PROTECTED]> > > cc: [EMAIL PROTECTED] > > > > On Fri, 1 Aug 1997, Ronny Cook wrote: > [...] > >> It could be a documentation bug rather than a program bug, I suppose, but > >> if so that begs the question of what is the server *supposed* to be doing > >> with the User directive? > > > > No, that is not the way things should work and I don't really see that > > being implied by the above docs. > > I agree it's thin, but it seemed to be the only reasonable interpretation > assuming that the "User" command was to be meaningful for virtual hosts. > > > > Apache will never setuid() after its initial change to the user specified > > by the main User directive (if started as root; if not started as root, it > > will never setuid() at all). To use suexec, suexec _needs_ to be setuid > > root so it can setuid() to the appropriate user. That is the whole point > > of suexec; Apache does not run as root beacause that is a huge security > > risk, so it can't setuid(). That means suexec is the one that has to do > > that. > > > I know, but you still haven't answered my final question. If the User > directive doesn't set the user under which the daemon runs (and it doesn't) > what *does* it do? At the moment it seems to be a null operation; it doesn't > do anything, even when suexec is enabled, so far as I can see. > > If User does nothing, why is it there? It tells Apache what user to tell suexec to run CGIs as.
