I am running httpd(8) to serve some sites, and I have setup groups like so:
www: only has www in it webdevels: has www and users who have access to at least one domain under /var/www/sites, there is a per-domain directory that holds that domain's website: /var/www/sites/domain1 /var/www/sites/domain2 /var/www/sites/domain3 For each such directory there's a separate group, and select users belong to that group, but the user www belongs to all of them. The idea is that each webdevel should have read/write access to their own domain, but no access whatsoever to the other domains, while the user www should be able to access all of them. /var/www/sites is mod 750, owner: root, group: webdevels When I run httpd I see that it's run as www but: The webserver cannot access any files under /var/www/sites. If I chmod the directory to 755, it does. If I chgrp the directory to www, it does. How can a process (httpd in this case) that runs as certain user (www in this case) lose/gain access just by chgrp'ing a directory to a different group, given that its user belongs to both? (I thought that this was not possible; hence the subject.) Following a discussion on #openbsd, it seems that httpd forces itself to "drop" priveledges to a process that runs as user www but belonging only to the www group, ignoring any other groups that the user www belongs to. Why is this so? Nginx seems to be doing the same thing, so I guess there is something to gain. Can someone shed some light? Thanks! P.S. In case someone's wondering, it's not a question of "changes taking effect after the next login", I've even rebooted various times ever since I've modified my users and groups the way I described above. -- Thanos http://www.tsouanas.org/