On 09/03/10 20:41, corrideat wrote: > So, I've I got it right the patch should cover the following: > . A User/Group that is allowed to own everything. Probably, this > should be set at compile time for integrity and enhaced security. > . An optional diective (server side), which can be turned off at > compile time, to permit those files owned by the shared user ONLY to > RUN as the shared user. > This shouldn't be that hard to add to suPHP. If I have time this > weekend, I'll submit the corresponding patch.
Well pretty much it, of course setting something during compile time versus config makes them bad for making packages that will suit many. That optinal directive sounds like existing feature of suPHP, I mean doesn't it do the same as --with-setid-mode=owner, or did you mean that to be extra setting that if there's shared files they are run with shared user, but normal files are done with setid-mode? But maybe Conor could say something as he was the first to post about it. And that Dave's patch seems also a good and possible way to do it, but unfortunately I don't have time to work on this now and test would it suit my needs. > > On Mon, Mar 8, 2010 at 8:55 AM, Dave Ingram<[email protected]> wrote: >> Jani Ollikainen wrote: >> >> On 06/03/10 20:08, Conor Clafferty wrote: >> >> >> e.g. /usr/share/mysharedfolder should be allowed to be executed by any >> of my users but not writeable. >> >> >> That sounds a feature that I would also appreciate. Now as I cannot even >> use symlinks to do that my only option has been to copy the files to >> everyone. >> >> But how that would be easiest to implement? One thing comes to my mind >> that is having a configuration setting of the owner whose files everyone >> can run. Like: >> >> shared_user=username >> >> Then every file that is owner by username would be allowed to run by >> the users. Then in my configuration I could use symlinks to >> /usr/share/mysharedfolder. >> >> This would add some checks to permissions checks but shouldn't slow >> it down much. >> >> So who wants to implement that? (Or some better way of doing it:) >> >> >> I've implemented something similar -- the patch is at >> https://lists.marsching.com/pipermail/suphp/2009-September/002209.html >> >> The basics are that it allows you to turn off user checks and rely on group >> checks instead. It should also be possible to modify it to handle a >> "trusted" set of users/groups. If you want, I can probably knock that >> together tonight. >> >> >> Dave >> >> _______________________________________________ >> suPHP mailing list >> [email protected] >> https://lists.marsching.com/mailman/listinfo/suphp >> >> > > > -- Yhteistyöterveisin, Jani Ollikainen @ Pronetko Networks Oy _______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
