Return-Path: Delivered-To: apmail-new-httpd-archive@apache.org Received: (qmail 50294 invoked by uid 500); 15 Dec 2000 03:40:25 -0000 Mailing-List: contact new-httpd-help@apache.org; run by ezmlm Precedence: bulk Reply-To: new-httpd@apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list new-httpd@apache.org Received: (qmail 50281 invoked from network); 15 Dec 2000 03:40:23 -0000 From: "Daniel Quellhorst" To: Subject: Question about Apache Security on virtual hosting Date: Thu, 14 Dec 2000 21:35:33 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N Hello, I have noticed on most all shared virtual hosting companies that run apache, any user with an account can go in and read the source code to the other people's scripts. This means that database user name and passwords can be read. Even on e-commerce hosting companies this is largely the case. I know that you can set a user directive inside of virtual hosts but that only works with cgi scripts. Is there a way in apache 1.3, other than making separate running copies of apache for each user, to have all requests CGI and Non-CGI to be done by a different user for every virtual host. I also do Host: based virtual hosting, so separate instances are really not possible. If I compile php as a cgi, I then also have the issue of ssi scripts doing includes inside of other people's directories. Will Apache 2.0 solve this? I currently have the latest cvs dump of apache 2.0 running on my machine for testing. If there is a way to solve this issue with 2.0 I would love to know how. I would really value any input that you have. Thanks, Dan