-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 14 Nov 2008 at 18:40:17 +1300, Francois Marier wrote: > What these restrictions do is prevent a user from executing files unless the > file (and > the directory in which it is) is owned by itself (or root) and is not group- > or > world-writable.
This is fundamentally incompatible with wanting Apache (www-data) to run CGI scripts provided by another user (francois). You can have either this or TPE, but not both. If you don't want the user francois to be able to escalate privileges to www-data (which is what TPE is trying to prevent), you could either use mpm-itk to have an Apache child running as francois, or you could use suexec as described at <http://ikiwiki-hosting.branchable.com/security/privilege_escalation/> (although TPE might block the latter too). S -----BEGIN PGP SIGNATURE----- iQIVAwUBTqMWaU3o/ypjx8yQAQgYlA//cV7wG/O8wXMx6tFxaY3gRqwDC+lEdJhg 44Vly8CmgdknFrW/3c2VJPDd0P7mTmuz77EeAC2q1WNAxdE0moU10GOdAVdzoZyG TcN4a9whluvTu10lv6D2nKoUTVZfT911pBd7HVKp4NK4SnwqtBcs92sY6S+XhdJt GCrz13KzLLA0XYV2my0jZDDGivhHkPKBlJIIdFpyX1ziM+VzuvJFjrRgCUR7vk5z VBj+Dmxnt5XamA4Gm2rispdGHLGY11n6kz6mNlWyQa8LTyReYzdltgghZtyNE6w4 IO1waBi/1z4arCsWlhArhoGWx932eVgNwAcF9JbUb4GZvhLPsFby6+zODKbZ2alp J8WvuY8Hy8U+g+EpsyOezxLyb9Eihr1L+xQ0MTJtMIWEXnejr+QUlXqIQa8y0QB+ aZ0tErKPyRMwV02LsBH/Ja8SkLM7iYn7RkZbooqnzeoaGwhW/yV9Pn7AyFZo3Sxh MUjXcEjG2wPCQ4BxKDaj8nPqzRfV+uFh9CPXWvXkvB8Uf8a3xGOV92ynkwH6mH/S NXzK7SB/6hZ+TKCHA6LJXA7X+LK9LSm0HQmlstRpCa6PWSqRE1ATdebqhSS6CvQH ty4+mUmD3J1ZkmmL9hAUBGkGP/0VaPZ2J31xL7wcWY1eAyF9RRX3R47azTWbHqwc X2+xIGHGSag= =6avY -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
