On Wed, 2003-04-02 at 15:58, Denis Jacobi wrote: > :-) I thought I descriebed the problem pretty good using Bob and Emma.
Oh, we see the problem alright <cracks knuckles>. > Well, sadly there is a more serious background to my problem. In my > case Bob is the apache webserver. That bastard. > I installed a new server which > should host just a small number of virtual sites. The customers should > be able to use cgi scipts. The problem is that cgi's are executed with > the rights of the apache, which would mean every virtual site could > read all data out of all other virtual sites. That is why I use > cgiwrap, which executes a cgi script with the owner/group of the file. > So I gave every virtual site an own group and put apache in that group > and chmoded the directory and files to e.g. 770. This way apache can > read the directories (virtual sites documentroot), which of course is > necessary, but users of one virtual site can't read via cgi script the > contents of other virtual sites. I just talked to a friend of mine. He informs me that if you're using XFS or EXT3 with ACL support then you can do: chown -R <user> <directory> chmod 700 <directory> setfacl -R -m u:apache:r <directory> on the virtual host directories. The user will then own the directory and it will be unreadable by others. The setfacl command then gives apache read access to those directories. After that, remove apache from all the extra groups. There might be an apache/chroot solution to this problem but this seems so simple that I don't know if I'd look elsewhere. -- Cliff Wells, Software Engineer Logiplex Corporation (www.logiplex.net) (503) 978-6726 x308 (800) 735-0555 x308 -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
