I am running httpd(8) to serve some sites, and I have setup groups like so:
www: only has www in it
webdevels: has www and users who have access to at least one domain
under /var/www/sites, there is a per-domain directory that holds that
domain's website:
/var/www/sites/domain1
/var/www/sites/domain2
/var/www/sites/domain3
For each such directory there's a separate group, and select users
belong to that group, but the user www belongs to all of them.
The idea is that each webdevel should have read/write access to their
own domain, but no access whatsoever to the other domains, while the
user www should be able to access all of them.
/var/www/sites is mod 750, owner: root, group: webdevels
When I run httpd I see that it's run as www but:
The webserver cannot access any files under /var/www/sites.
If I chmod the directory to 755, it does.
If I chgrp the directory to www, it does.
How can a process (httpd in this case) that runs as certain user (www in
this case) lose/gain access just by chgrp'ing a directory to a different
group, given that its user belongs to both?
(I thought that this was not possible; hence the subject.)
Following a discussion on #openbsd, it seems that httpd forces itself to
"drop" priveledges to a process that runs as user www but belonging only
to the www group, ignoring any other groups that the user www belongs to.
Why is this so? Nginx seems to be doing the same thing, so I guess
there is something to gain. Can someone shed some light?
Thanks!
P.S. In case someone's wondering, it's not a question of "changes taking
effect after the next login", I've even rebooted various times ever
since I've modified my users and groups the way I described above.
--
Thanos
http://www.tsouanas.org/
