httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martijn de Munnik <mart...@youngguns.nl>
Subject [users@httpd] ZFS ACL and apache suexec
Date Fri, 21 Mar 2008 11:21:54 GMT
Hi,

I'm trying to get my apache webserver as secure as possible. The  
server is used for multiple virtual hosts and I want to isolate each  
vhost host. I used this document as a guide

http://snippets.dzone.com/posts/show/81

everything works fine. Each vhost is under a separate unix user/group  
and apache is running as nobody/nobody. The user nobody is also in all  
the usergroups but Solaris has a limit of 32 additional groups a user  
can be in. So there's my problem. I though the solution would be ZFS  
ACL's and tried that. The user nobody can navigate in the public_html  
directory of the vhost (nobody is not in the usergroup anymore) and  
apache shows HTML files. But when I want to show php files something  
goes wrong:

Forbidden
You don't have permission to access /php-fastcgi/php5-cgi/index.php on  
this server.
Additionally, a 403 Forbidden error was encountered while trying to  
use an ErrorDocument to handle the request.

Nothing shows up in the logs. When I run a php script on a vhost which  
is configured the old way (nobody is in the usergroup) I get lines  
like these:

[Fri Feb 29 08:03:57 2008] [warn] FastCGI: (dynamic) server "/opt/csw/ 
apache2/share/htdocs/suexec/xxxxxxx.nl/php5-cgi" (uid 10003, gid  
10001) started (pid 8253)

All the config files and scripts are the same so the problem should be  
file permissions I guess, any ideas?

thanks,

Martijn de Munnik



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message