-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
FPSE does it's own version of suexec when going down into a FPSE enabled web. I know that I specify the user and group when I extend a site, but I haven't figured exactly how it works or where these parameters are 'stored' and 'configured'.
While writing this up, a voice in my head said "use the source", so I did, and find myself just a little the wiser but would like another insight.
The fpexe program picks up it's user and group to run as from FPUID and FPGID environment variables (and verifies a random key file). These variables are set by mod_frontpage in FrontPageAlias. It uses the user and group of a 'webroot' file descriptor which turns out to be the user and group of the request object's filename. The 'webroot' is expected to have a _vti_pvt/ sub directory with the same user and group permissions.
Now taking the 'webroot' variable name at face value, I'd expect that they were checking the 'document root' for the virtual web's permissions and comparing that to the permissions of _vti_pvt/ and if they match, fpexe runs as the user and group of your webroot. Maybe I just need to look into apache virtual host handling to see that request_rec->filename is the web root when mod_frontpage gets a hold of it.
If that's the case, I shouldn't need to re-extend a web to change 'ownership', just change the file permissions on everything from the web root down and mod_frontpage/fpexe will 'magically' start using that user/group for it's actions, right? I haven't tried that yet. Any experiences changing the user/group on a web?
I can 'deny' fp from modifying stuff in the web by changing those parts to another user/group. I just have to be careful and remember that extending a web clobbers the permissions of everything it can back to your requested user/group for fpse.
Almost all of our FPSE sites are managed by 'us', so I use one user/group for that data (different than apache's user/group.) It seems to make the most sense to have a fpse extended web where you are giving the client a shell account the same user/group as the account holder. What's popular with the rest of you?
- -- Jacob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFB9tmc0kHGNZL/nCERAtnuAJ4+b/ZWQdcr0mZCo+WUTWjERKMaIwCgguRg VIEdw1ZoiCiUdPiJSAvyqb0= =96yd -----END PGP SIGNATURE----- _______________________________________________ Apache-FP mailing list Apache-FP@lists.joshie.com http://lists.joshie.com/mailman/listinfo/apache-fp
Donations:
http://www.amazon.com/paypage/PT5LZITM9L227
