httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aidan Cully <ai...@panix.com>
Subject "responsible party" for requests
Date Fri, 12 Mar 1999 23:11:07 GMT
Hello, again..
It seems we've got a local hack in place that allows us to run scripts and
log information based on, either, the server's UID, or (in the case where
the server is shared by several users) the st_owner of the file being
requested.  Right now that patch looks like (in several places)
if (s->server_uid == 32767) {
	uid = r->finfo.st_owner;
} else {
	uid = s->server_uid;
}
and 'uid' can go into the access_log, or on the command line that gets
passed to SuEXEC.  This effectively replaces (but could be reworked to
augment) that '/~user' check in ap_call_exec() for running CGI-scripts as
the user.  As it is, the patch is completely unsuitable for inclusion
into apache, but I think it makes good sense for apache to provide some
kind of equivalent functionality..  Thing is, our users don't (currently,
though I may change this in chroot space) have passwd entries on our
webserver, and we've stuck all our user's home dirs in
htdocs/userdirs/$user.  That means that the user's files are accessible
as <http://www.panix.com/userdirs/user>, in addition to
<http://www.panix.com/~user>, and by requesting URLs the first way they
could bypass the /~user check in ap_call_exec().

Now, the question is, how should I put this functionality into apache?
My thought is:
1) Add a config directive that's valid in global, virtualhost, and
  directory contexts that says, "responsible user is determined by file
  permissions".
2) Add a function that will return the responsible party for a request.
3) Rewrite ap_call_exec to use this info when calling SuEXEC.
4) Add an option to mod_log_config which will log the UID of the party
  responsible for a request.

If y'all agree with me, I'll start hacking this in Monday and give the
patch back next week.  Because it's designed to be used by other modules,
as well as a function in core, I think it's impossible to put this into a
module.

Feedback?
--aidan
-- 
Aidan Cully         "Chihuahuahuahuahua."
Panix Staff           --The Sugercubes
aidan@panix.com

Mime
View raw message