On Mon, 17 Dec 2007, Drew A. Withers wrote: > I'm setting up a webserver that uses nfs to access user home > directories. User information is accessed through an LDAP server and the > nfs server has root squash enabled for the webserver as a security measure.
What OS? This is helpful information. What version of Apache? What version of SuPHP? What "mode"? All these would much better enable people to help you. > Suphp uses setuid root to try and access the requested php script as > root before it ever tries to execute it as the script owner. I would think this would depend on what "mode" you're running suPHP in. Logically speaking, if you are running in "owner" mode...i.e. run scripts as their owner, I can't imagine how a setUID script could figure out this situation without doing a stat() call (perhaps by calling a setuid-nobody "ls" binary? But that's abstract :)) In "paranoid" or "force" mode, these file accesses to do security checks could be done after setid-ing to the user. That said, I have a similar "squash" in effect on my end. Accesses by root on the NFS client map to UID -1 on the server -- so as long as all the files involved are world-readable (as they should be) you should be fine (as I'm currently looking through my homedir as root...but can't open my .mail file. I'm just not running suPHP on it, so I don't know for sure if everything works. > So when someone wants to run a php script that is located on our nfs > server, suphp tries to access it first as root and gets root squashed so > suphp returns a file not found error before it ever even gets a chance > to execute the php script as the owner. Could you post the exact log errors? > Our current webserver is running an old hacked suphp that somehow works > around this issue, but the hacker is neither available for comment, nor > did he leave his source with us. > > Any ideas would be greatly appreciated. So would more information. -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- _______________________________________________ suPHP mailing list [email protected] http://lists.marsching.biz/mailman/listinfo/suphp
