httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sjors Gielen" <sjorsgie...@gmail.com>
Subject [users@httpd] Problems with SuEXEC (directory doesn't have target gid error)
Date Tue, 20 Nov 2007 20:02:34 GMT
Hi,

After fiddling around with it for a while, I have set up an Apache
server that uses SuPHP and SuEXEC to change its UID and GID when a
request arrives. I think I should explain a bit about how the setup
works before going on with the real question.
I've got the following (important) groups on my system:
fpanel contains all fPanel users (which is, all users corresponding to
a virtualhost, see below)
fpanel-www is Apaches group.

Next to that, there are these (important) users:
fdazjorz - There are a lot users like this one, but for now, I'll just
use fdazjorz. fdazjorz is used when serving http://dazjorz.com/. It is
in the 'fpanel' group.
fpanel-www - Apaches user.

Note that at the moment, the Apache server runs at port 81 (so that'd
make http://dazjorz.com:81/), I won't repeat the :81 all the time, and
it'll be 80 once this is all set up.

I have set a rule for myself in setting up this Apache server: Only
the owner and Apache may read the virtualhosts' contents. This means,
for dazjorz.com, that only fdazjorz:fpanel and fpanel-www:fpanel-www
may read the files. I've set up a complete hierarchy in /var/www so
the contents are in /var/www/com/dazjorz/web/www. Next to that, I've
set all directories in /var/www/{com,org,uk,nl} setgid fpanel-www, so
when somebody creates a new file or directory, it automatically gets
the group 'fpanel-www'. This way, only the owner and Apache can read
the files.

Here is also the real problem. Apache can read the files correctly,
and so can the owner, and nobody else. Do any of you remember rule 18
of SuEXEC ?
# 18. Is the target user/group the same as the program's user/group?
In my current configuration, the group is always fpanel-www, while
SuEXEC changes group to fpanel (if it would change to fpanel-www, the
scripts would be able to read all files having group fpanel-www).

When I request a Perl file called lezen.pl, owned by
fdazjorz:fpanel-www, I get this in my SuEXEC log:
[2007-11-20 20:20:09]: uid: (1003/fdazjorz) gid: (1001/1001) cmd: lezen.pl
[2007-11-20 20:20:09]: target uid/gid (1003/1001) mismatch with
directory (1003/119) or program (1003/119)

Now when I change the group of the whole dazjorz.com hierarchy tree
(/var/www/com/dazjorz/web) to "fpanel" (note that everybody can read
it now), Apache screams at me for not being able to read the .htaccess
file, since it runs as fpanel-www.

I see almost no way out of here, except running Apache as root:root,
and letting it setuid/setgid later, or hacking SuEXEC to allow the
script or directory to have a different group. What do you guys think
about it? I'm really getting a headache here...

Sjors

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message