On Mon, Apr 08, 2002 at 07:23:47PM +0200, Michal Novotny wrote: > Is it possible to run/switch apache to user defined by User directive? > > Situation: > Apache running www-data.www-data > In home dirs users have their data (html etc.) with permission 600 and > with user.www-data > Now it is not possible to get any html (permission denied) ofcourse, > because of permissions, but I don't want to set it 660, because then > other user in that group can read/overwrite data/htmls.
all files to be served by apache *MUST* be readable by user and/or group www-data. all directories in the path to the files *MUST* be readable and executable by user and/or group www-data. this means that they should either be owned by www-data and at least mode 400 (or 500 for directories), or they should be in group www-data and at least 440 (or 550 for directories). alternatively, files must be world-readable and directories must be world readable & executable. the default is for files to be owned by the user, and mode 644 and for directories to be owned by the user and mode 755. you don't have any choice in this. if you want to serve pages, then the pages must be accessible by the apache process. or, to put it another way, apache can't serve a file it doesn't have permission to access. for CGI scripts, you can use suexec (comes with apache) or cgiwrap (separate package) or similar program to make the script run as a particular user. as a security precaution, both suexec and cgiwrap have quite strict policies on what they will run...but cgiwrap is more flexible. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
