httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregory A Lundberg <>
Subject Re: mod_rewrite/2341: Permissions/Ownership of RewriteLock files prevent child access and thus apache from starting up when they are used.
Date Tue, 09 Jun 1998 13:27:22 GMT
On Tue, 9 Jun 1998, Ralf S. Engelschall wrote:

> Any suggestions how we can solve the above PR? The suggested fd passing is not
> an option because flock+fork doesn't work together (the child _has_ to open
> the lockfile itself). So what should we do? 
> 1. A chown to the uids the child run under (hmmm)
> 2. A chmod to open the lockfile for the world (grrrr)
> 3. ??
> Idea ideas or suggestions?

Is this making a case where, potentially, four UIDs/GIDs could be

- 0/0, root privileges when Apache needs them
- apache/apache, real non-privileged user for Apache internals
  .. this is the new UID/GID I'm suggesting; for many Unixes bin/bin
     or daemon/daemon may be good enough, but I'd lean toward a
     special user.  This user could own the lockfiles which were
     created using root privileges so u+w would be sufficient.  I'd
     also have this user owning log files, etc.
- nobody/nobody, real non-privileged user for externals (CGIs, etc)
  .. this user/group should own nothing and be the user/group CGIs
     run under unless we're using suEXEC.  Again, a special apache
     user (web/web) is probably a good idea.
- user/user, real non-privileged user (suEXEC, etc)

Parent (root/root) becomes (root/apache) creates lock files with
group-write then forks children.

Child (root/apache) opens apache-internal files it needs (lockfiles, et
al) before changing to (nobody/nobody) and processing requests.


Gregory A Lundberg		Senior Partner, VRnet Company
1441 Elmdale Drive    
Kettering, OH 45409-1615 USA    1-800-809-2195

View raw message