httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject New suexec's user/group functionality, and log files
Date Sat, 10 Aug 1996 22:05:55 GMT

Interesting request, in the light of our current plans for supporting
user/group configurable on a per-vhost basis, to have the log files for a given
vhost also set to that user/group.  I already followed up about our suexec
plans, but if someone is interested in pursuing the logfile idea feel free to
followup with them...

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS

---------- Forwarded message ----------
Date: Fri, 9 Aug 1996 13:55:33 -0400 (EDT)
From: malyshki@cs.wmich.edu
To: brian@organic.com
Subject: Apache improvement

Brian,
I would like to suggest to add into Apache  two very useful features.
First of all add into virtualhost configuration User and Group
parameters.

1. It will be wery conveniet  
   when open the log files (including referer_log and etc.)
   if the log file(s) DOESN'T EXIST create it with User ang Group 
   iD from the virtualhost configuration. 
   If the log file(s) DOES EXIST - current apache behavior is OK.
   This allow users read and detete their own log file without any 
   problem if corresponging User and Group are set. 
   If User and Group in the virtualhost aren't  set - 
   everything will be as it is now.   
   This feature is very easy to implement.

2. The second feature also very useful, but it is much hurder to 
   implement.
   To start CGI with the User and Group ID from virtualhost configuration,
   when using CGI with the virtualhost.
   This will improve security among one web server users.
   Also to set +s bit on CGI will not be necessary any more.
   This is very important when people use shell or perl scripts as cgi,
   because it is very easy to breake any shell/perl scripts with chmod u+s.

ln -s cgi_script_name -i ; -i  # this breakes any shell/perl scripts with +s

   The problem is that in the pre-forking model used in apache 
   all pre-forked processes are running for example as nobody
   and it isn't known what virtual host request will they handle.
   To run pre-forked processes as root is dangerous. 
   I think that the best way to set user and group ID 
   is to create special root process "CGI SERVER" 
   that will do all user/group ID  changes. 

Sincerely,
Vladislav


Mime
View raw message