On Sun, Jan 21, 2007 at 08:43:16AM -0800, Peter Michaux wrote: > On 1/21/07, Andy Smith <[EMAIL PROTECTED]> wrote: > >On Sat, Jan 20, 2007 at 11:15:38PM -0800, Peter Michaux wrote: > >> When apache tries to serve a file it must have permission to access > >> that file. Apache will have permission because either the "www-data" > >> user has permission to access that file or group "www-data" has > >> permission. How does the permission checking occur? When the apache > >> process starts does it tell the os it's user and group and then the os > >> knows when apache tries to access a file? > > > >Apache forks new processes which change their effective UID and GID > >to match what you put in the directives above. The OS does not need > >to know anything special as it just sees a given process try to do > >something. > > So when do file access permissions get checked?
In the system call that the apache process will do to read the file. > And when is the data > for the user and group apache as running as get transfered to the os > so the os can do the checking? On application start-up or with each > file access attempt? Under the default settings Apache pre-forks several child processes under the correct UID/GID. Permissions checks happen when these try to do anything, as is the case for all processes. > >ps awux | grep httpd > > This shows the user in the first column but not the group. Actually > the 'w' modifier in the ps command doesn't make a difference on my > computer. So I still can't see which group unfortunately. Well, "man ps" ps -eo pid,user,group,args | less > >Hopefully you understand now that root can switch the effective > >UID/GID of a process it forks to that of any other user/group and > >thus the questions as to whether the process can do soemthing > >with/to a file is a generic one. > > Actually I don't have apache configured to fork new processes right > now. So unless forking processes is a default behavior then I am just > interested in the main apache application process. I think you will find you have one apache process running as root, and several running as whatever UID/GID you specified. The one that runs as root doesn't answer requests, it forks processes or spawns threads to do that. Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting Encrypted mail welcome - keyid 0x604DE5DB
signature.asc
Description: Digital signature