On Jan 20, 2008, at 11:52 PM, Ashoat Tevosyan wrote: >>> Hello all, >>> I am running Apache 2.2.6 with PHP 5 and suPHP in a cPanel >>> environment. >>> >>> I have the following issue. I want to run suPHP, but I want there to >>> be a single file that every single user can access. As it doesn't >>> seem like there is a possible way to do this with the UID-checking >>> suPHP does (correct me if I am wrong), I am wondering if I could >>> disable the user-check and leave only the group-check. That way, >>> considering all the files the users own on their vhosts are under >>> the specific user's group, only they would be able to access it. But >>> I could put the particular file I need everyone-access-privileges >>> under a group that includes all users. >>> >>> Is this possible? Are there any solutions to my issue? >>> >> >> The version of mod_suphp in cPanel has several patches applied to it >> and functions a little differently than the pristine upstream >> version. Basically, what you'd need to do is disable both the UID >> and >> GID checks in suphp.conf, making mod_suphp behave as if it was >> compiled in force mode. The GID check compares the current GID >> against the GID of the script, so it would not pass that check if the >> user is a member of the group that owns the script but not configured >> to run as that GID via suPHP_UserGroup. >> >> J.D. Lightsey > > Thanks for the response JD! > > So, looks like there is no way of making suPHP ignore a single file. > Do you > know of any other solutions that could work? The issues I have with > disabling both user and groups checks in suPHP are twofold: > 1) That pretty much makes suPHP useless. I've already disabled the > permissions check...
I wouldn't say it makes mod_suphp useless to have those file ownership checks disabled. It's just one part of what mod_suphp is doing. Of course, if you want a solution that narrowly allows that one script to run, the mod_suphp source code is very well organized and easy to follow. It would be fairly simple to hard code an exception for that script in Application.cpp. > 2) I don't know how. I've been trying to figure out how to disable a > check > in suphp.conf for a while now, but I can't figure it out. Any ideas? On a cPanel system you'd edit /opt/suphp/etc/suphp.conf and change paranoid_uid_check and paranoid_gid_check to false. That will make mod_suphp behave as if it was compiled in force mode. Feel free to contact me directly if you need more help. This really has more to do with the way cPanel patches and configures mod_suphp than the core mod_suphp code itself. If anyone else reading this is interested in looking at the patches cPanel applies to mod_suphp, they're in this tarball: http://httpupdate.cpanel.net/cpanelsync/easy/targz/Cpanel/Easy/Apache/PHPAsUser.pm.tar.gz J.D. _______________________________________________ suPHP mailing list [email protected] http://lists.marsching.biz/mailman/listinfo/suphp
