httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Dynamic Mass Virtual Hosting with Secure Dynamic Content is impossible?
Date Sat, 29 Jul 2006 01:20:00 GMT
On 7/28/06, matthew.fisch@yahoo.com <matthew.fisch@yahoo.com> wrote:
>
>
> Thanks for the attention Joshua...
>
>   Yes Ive read the other discussions (I think). I guess I assumed right
> then, Im stuck without changes to the source code? suexec cant work with
> mod_vhost_alias?

Correct.

>
>   Regarding the UID mapping, all it would have to do would be suexec as the
> owner of the file. I wonder if that would really be insecure or inflexible
> afterall. Are users able to chown files to other users?

On some systems, yes, people can "give away" files.  Even on systems
where they can't, this would be a bad idea since people could do
malicious things to other people's accounts using their own binaries.

The more-secure solution that I was thinking of was simply hard-coding
a knowledge of the VirtualDocumentRoot into suexec so that cgi's
within a particular vhost were run under a particular userid.

As far as getting such a solution into the "mainline" apache httpd, I
guess it could be possible using a VirtualUserGroup directive, or
something of the sort.  I'd have to think more about the security
implications.  Hard-coding it into suexec would actually be more
secure, but you need to be very careful with any modification to
suexec.

Joshua.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message