Developers, I first posed a question to the users list, and it was recommended that I ask "the apache developers", which I assumed means ask here.
Quick overview: I was to use suEXEC with a UID that doesn't have a corresponding username in /etc/passwd, which suEXEC disallows. Why? Can I disable that without modifying source? If I rip out that check, how I am vulernable? More context: I'm running an Ensim-based site with name-based virtual hosts. suEXEC is in use. I want to make the web directories for those hosts (including cgi-bin directories) owned by a different user than the Ensim "site administrator". That is, I want to make them owned by the "webmaster" user for that domain. Actually accomplishing that, and serving static pages and providing FTP access, etc. is not a problem (which is why I'm not posting to an Ensim list). The problem is that that user is in the /etc/passwd file for that domain only, not in the global /etc/passwd file for the system, which is what suEXEC checks. From http://httpd.apache.org/docs/suexec.html, a condition for success in suEXEC is: 5. Is the target user name valid? Does the target user exist? I would like to know how to disable this check. Do I have to comment out the lines implementing it in the suEXEC source and recompile? What kind of problems do I open myself up to if I do? (I can't think of any, as long as the other checks are all in place, and I'm a reasonably security-minded guy) -- Bob Bell <[EMAIL PROTECTED]> ------------------------------------------------------------------------- "Q. I find this a nice feature but it is not according to the documentation. Or is it a BUG? A. Let's call it an accidental feature. :-)" -- Larry Wall, creator of the Perl programming language
