httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lee" <>
Subject Mixed Services - Apache Security
Date Fri, 28 Jun 2002 23:12:47 GMT

I am just starting to learn apache seriously after just toying with it for a
few months.

One thing that has always bothered me with apache is that it always runs as
the same user regardless of whichever site or virtual host it is running.
As I do a lot of web scripts work (Perl & PHP) this is something I notice
frequently both on my own server & those I have used for web hosting.

My concern is this.

Running a single apache daemon, say to be different "apache" user, with
group "apache".  Now I am also running an FTP daemon where the users have
there home directories as the same place as the DocumentRoot for each
virtual host.

In order for uploaded files to be readable by apache, they need to either be
world readable, or apache needs to be a member of the FTP daemon group, for
example "ftpgroup" with the files set to have group readable permissions.

Whenever a user running a Perl script or PHP page it runs as the Apache
user, which means it can read all other files / directories that apache
itself can.  Also it would mean that if a user makes a directory
group-writable, which would be needed by a CGI script to write to a
directory, then all other sites will also be able to write to this directory
/ file.

I have read a little on SUEXEC, is this the sort of problem that it was
designed to solve, or does anyone else have any other ideas.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message