On 21 January 2011 03:02, Joonas Lehtolahti <[email protected]> wrote: > On Thu, 20 Jan 2011 08:00:46 +0200, Graham Dumpleton > <[email protected]> wrote: > >> On 20 January 2011 16:40, Joonas Lehtolahti <[email protected]> wrote: >>> >>> On Thu, 20 Jan 2011 04:47:14 +0200, Graham Dumpleton >>> <[email protected]> wrote: >>> >>>> That one feature is the ability to define a template for a daemon >>>> process group with new daemon process groups setup according to that >>>> template being able to be started dynamically without having to >>>> restart Apache. That is, instead of having to change the static >>>> configuration of Apache, could be as simple as just dropping a WSGI >>>> script file in place and when a request occurs which gets routed to >>>> that, a new daemon process group for that application is created >>>> automatically, with it running with user/group corresponding to the >>>> ownership of the WSGI script file. >>> >>> This is practically the only thing I can remember of that I'd like to see >>> from mod_wsgi. Then again, I would want this to be generic option in >>> Apache >>> itself applying to CGI scripts and whatnot running from user's home www >>> folders. >> >> Don't follow you about the CGI scripts as you can already configure >> Apache in ways that would automatically allow CGI scripts to work in >> users home www directories without need to reconfigure when you add a >> new account. >> >> <Directory /home/*/public_html/cgi-bin> >> Options ExecCGI >> AddHandler cgi-script .cgi >> </Directory> >> >> Use this in combination with mod_userdir and then as soon as a you >> create a new user account and add public_html directory under it, then >> you can add cgi-bin directory with CGI scripts in it. > > This is how I have it set up. > >> Note though that this relies on Apache user have ability to read into >> users home directory. > > Yes, and the point here was that it is still Apache user, so if the Apache > user has access to every user's public_html, then any CGI scripts executed > there also have access to every user's public_html and even the root > /var/www (or whatever the DocumentRoot is). So what I want is that CGI > scripts from user folders are also executed as another user account than > the generic Apache account, just like what you're planning for mod_wsgi, > the effective user/group for executing the wsgi script depends on that > file's owner information.
Not sure why you are expecting mod_wsgi to address an issue with mod_cgi/mod_cgid. Anyway, have you ever read up about suexec for CGI scripts. http://httpd.apache.org/docs/2.2/suexec.html That allows you to run CGI scripts as a different user to the Apache user. Graham >> A better approach may be: >> >> <Directory /usr/local/www/*/cgi-bin> >> Options ExecCGI >> AddHandler cgi-script .cgi >> </Directory> >> >> The mod_userdir configuration would then instead be set to: >> >> UserDir /usr/local/www >> >> instead of: >> >> UserDir public_html >> >> If you then make ~/public_html a symlink to /usr/local/www/<username> >> and the directories under /usr/local/www would be owned by the >> specific user and permissions such that Apache user can read them a >> user isn't going to know it isn't under their own account. >> >> This way on a system with restrictive home directory permissions you >> don't need to add r-x to others. > > Yeah, that's a good point. Still if the CGI script is being executed with > Apache user, it has access to anywhere the Apache user has access to, > including other users' /usr/local/www/<username>/ stuff. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
