httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: PerChild clarification
Date Sun, 02 Jun 2002 11:28:43 GMT
On Sun, 2 Jun 2002, [ISO-8859-15] Astrid Ke▀ler wrote:

>
> > If that is in fact what this directive does, in what way would that be
> > useful? This is not in the context of a virtual host, but I'm just
> > saying that a particular child process will run with certain privileges?
> > Why would I want to do that? Can someone give an example where this is
> > desirable?
>
> This feature - I'm meaning it in the same way - allows you a to close a
> security hole of the previous version.
>
> Scenario:
>
> You are a web hoster, running hundreds of domains, each configured as
> virutal host. For security, you are running suexec with each virtual
> host having its own userid and group. For the apache being able to read
> statical files (e.g. simple html-files), it must be run with an userid,
> being member of all these groups. On unix/linux systems the userid can
> only be a member of up to 8/16/32 groups, depending on the system. If
> you need more, you have to patch the kernel and rebuild the system
> (or you have to patch suexec).

Yeah, I understand that part, but why would you want to tie this
user/group ID to a particular child process, rather than to a virtual
host? I understand why the AssignUserId directive is useful, it's the
ChildPerUserId one that seems very strange to me.

> Instead most of the providers do run the apache with suexec, having each
> virtual host its own userid. But all userids are a member of the same
> group. So a cgi-script can access every file of ervery virtual host.

Well, I tend to create a group per user, so that they are isolated in a
group by themselves, but that does not get me any closer to
understanding this directive.

Perhaps I'll ask differently - Why would you want to use ChildPerUserId
rathr than AssignUserId? Or are they used somehow in conjunction with one
another? Comments in the docs indicate that more explanation is
necessary, and I'm trying to get that additional explanation.

-- 
Rich Bowen
Apache - mod_perl - Perl - CGI
http://www.ApacheAdmin.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message