httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Inclusion of mpm-itk into HEAD
Date Wed, 27 Jun 2007 15:16:44 GMT
On Wed, 27 Jun 2007 09:59:27 -0400
Rich Bowen <rbowen@rcbowen.com> wrote:

> It's a request that comes up every single day in the various support  
> forums: I am in a hosted environment, I have a virtual host, and a  
> bunch of random strangers have full read permissions to my sensitive  
> files, is there any way around this? So one of the main problems is  
> not applications at all, but is static files. Folks want their
> static files to be owned by themselves, and not readable to random
> other users on the same system, but also serve-able by Apache.

Group permissions.

>  There
> are various user and group permission that can make this
> sort-of-but-not- quite happen, because whatever you do, someone can
> write a cgi program that can read your files.

suexec.

> So, in that situation, mod_fastcgi, mod_scgi, or whatever, are  
> completely ineffectual. Having a solution where FILES are read by  
> some other UID would solve this long-standing complaint.
> 
> Speaking only as help-desk personnel, and not as a code developer -
> I have no insight into how this would be implemented, I only answer
> the question, every day of every week for the last half-dozen years.

This is a problem that could be solved by documentation.
Maybe not quite as simple, but when the alternative is accepting
new connections whilst running as root.

And if you really want it to be that simple, a solution would be
to create a pre-packaged distribution that uses cgi+suexec to serve
static files.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message