httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Astrid Ke├čler <k...@kess-net.de>
Subject Re: PerChild clarification
Date Sun, 02 Jun 2002 08:45:52 GMT

> If that is in fact what this directive does, in what way would that be
> useful? This is not in the context of a virtual host, but I'm just
> saying that a particular child process will run with certain privileges?
> Why would I want to do that? Can someone give an example where this is
> desirable?

This feature - I'm meaning it in the same way - allows you a to close a
security hole of the previous version.

Scenario:

You are a web hoster, running hundreds of domains, each configured as
virutal host. For security, you are running suexec with each virtual
host having its own userid and group. For the apache being able to read
statical files (e.g. simple html-files), it must be run with an userid,
being member of all these groups. On unix/linux systems the userid can
only be a member of up to 8/16/32 groups, depending on the system. If
you need more, you have to patch the kernel and rebuild the system
(or you have to patch suexec).

Instead most of the providers do run the apache with suexec, having each
virtual host its own userid. But all userids are a member of the same
group. So a cgi-script can access every file of ervery virtual host.

Kess

E-Mail: kess@kess-net.de


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message