httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Packwood <>
Subject Unix permissions limitation
Date Mon, 22 Apr 2002 17:39:00 GMT
I'm sure this problem has been addressed before but I couldn't 
find it in the archives.

Our old implementation of Apache for internal web services here at Cray
uses, of course, a specific UID and GID (let's just call it nobody)
for the httpd daemon which, from my understanding, needs read permission
on any document you want to be able to be viewed through a browser.
This currently runs on IRIX but I would assume the situation to be
the same for any unix platform.  At any rate, we run several virtual
web servers all owned by different groups within the company.  Each
group needs to be able to restrict access to their web files on both
the web side and the unix side.  The web side is easy, of course, with
.htaccess files.  The unix side is problematic, from my understanding,
because the httpd daemon needs read permission.  Because the httpd 
daemon is "stuck" on a specific UID/GID, I see only the following as

1) All web documents need the world-read permission bit set (which is
simply not acceptable from a security standpoint)
2) All web documents need the group-read permission bit set AND have
all the documents group-owned by the GID of the httpd daemon.  In
this case the world-read permission bit can be removed, but then 
everyone who edits web documents needs to belong to this group.  Not
as poor from a security standpoint as (1), but still not truly viable.
3) All web documents need the the user-read permission bit set AND have
the documents owned by the UID of the httpd daemon.  This is no better 
than (2), in face slightly worse, since all the users would have to 
login to the webserver as this user in order to edit documents (as
opposed to logging in as themselves).
4) use ACLs.  This to me seems the only viable solution from a security
standpoint.  However, IRIX 6.5 does not currently backup ACLs correctly
and so we are considering moving our web data to a different platform.
As you can imagine this will be considerable work, since this is our
production web server.

>From my understanding, su-exec is only useful for cgi scripts and not
an effective solution for standard html documents.  

Are there any other solutions that I am not aware of?  

Thanks much!
Ted Packwood
Web Administrator
Cray Inc.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message