httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martijn de Munnik <>
Subject [users@httpd] ZFS ACL and apache suexec
Date Fri, 21 Mar 2008 11:21:54 GMT

I'm trying to get my apache webserver as secure as possible. The  
server is used for multiple virtual hosts and I want to isolate each  
vhost host. I used this document as a guide

everything works fine. Each vhost is under a separate unix user/group  
and apache is running as nobody/nobody. The user nobody is also in all  
the usergroups but Solaris has a limit of 32 additional groups a user  
can be in. So there's my problem. I though the solution would be ZFS  
ACL's and tried that. The user nobody can navigate in the public_html  
directory of the vhost (nobody is not in the usergroup anymore) and  
apache shows HTML files. But when I want to show php files something  
goes wrong:

You don't have permission to access /php-fastcgi/php5-cgi/index.php on  
this server.
Additionally, a 403 Forbidden error was encountered while trying to  
use an ErrorDocument to handle the request.

Nothing shows up in the logs. When I run a php script on a vhost which  
is configured the old way (nobody is in the usergroup) I get lines  
like these:

[Fri Feb 29 08:03:57 2008] [warn] FastCGI: (dynamic) server "/opt/csw/ 
apache2/share/htdocs/suexec/" (uid 10003, gid  
10001) started (pid 8253)

All the config files and scripts are the same so the problem should be  
file permissions I guess, any ideas?


Martijn de Munnik

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message