Hello. Does mongrel support a 'suexec'-like mechanism for executing code with the privileges of a specific user?
Consider the following scenario: A Linux server has a large number of web-hosting accounts, each corresponding to a separate Apache virtual host. We wish to use a single Rails application to allow users to edit their personal account settings (i.e. modify files that they own in their account). As there is only ever one Rails administration application, it makes sense to deploy one mongrel_cluster to run this. We can then use Apache mod_proxy_balancer to expose this application as a URL within the client account's domain, for example: http://www.myhost.com/admin/ Now, the problem we have is that the mongrel cluster is running as user 'mongrel', and this user does not have access to the private files owned by the user that are to be manipulated by the administration application. With a regular PHP web-app, this problem would be resolved by running the application via suexec, thereby giving the application access to edit the user's files (and also preventing access to other user's files). How can I do a similar thing with Rails and mongrel as the preferred Rails deployment method? At the moment I see two options: (1) Run the application as a separate mongrel_cluster for each user. This solves the user permissions problem, but has the unacceptable drawback of requiring a huge amount of resources (processes, ports, memory, etc) to run hundreds of mongrel instances of the same application (which is only ever accessed by users occasionally). (2) Add the 'mongrel' user to each user's unix group. This solves the problem of letting the administration application access each user's private files, however has the drawback of a single point of failure - a security breach of the Rails app gives a malicious user access to files in ALL accounts! Now an ideal third option would be if mongrel supported a 'suexec' like feature, that allowed specific requests to be executed with specific user privileges. This would resolve the permissions problem and also minimise resource wastage by preventing the need to run multiple instances of the same application. Does anyone know if such a 'suexec' type feature exists for mongrel, or if one is even planned? Thanks for any help you can give with this. Scott -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Deploying Rails" group. To post to this group, send email to rubyonrails-deployment@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-deployment?hl=en -~----------~----~----~----~------~----~------~--~---
