Return-Path: Delivered-To: apmail-perl-modperl-archive@www.apache.org Received: (qmail 91604 invoked from network); 13 Jul 2005 11:10:49 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 13 Jul 2005 11:10:49 -0000 Received: (qmail 83650 invoked by uid 500); 13 Jul 2005 11:10:36 -0000 Delivered-To: apmail-perl-modperl-archive@perl.apache.org Received: (qmail 83633 invoked by uid 500); 13 Jul 2005 11:10:36 -0000 Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list modperl@perl.apache.org Received: (qmail 83620 invoked by uid 99); 13 Jul 2005 11:10:35 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jul 2005 04:10:35 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of gcam-modperl@m.gmane.org designates 80.91.229.2 as permitted sender) Received: from [80.91.229.2] (HELO ciao.gmane.org) (80.91.229.2) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jul 2005 04:10:30 -0700 Received: from root by ciao.gmane.org with local (Exim 4.43) id 1Dsf7t-0006FC-Md for modperl@perl.apache.org; Wed, 13 Jul 2005 13:10:05 +0200 Received: from hcoop.net ([63.246.10.45]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 13 Jul 2005 13:10:05 +0200 Received: from bauhaus by hcoop.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 13 Jul 2005 13:10:05 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: modperl@perl.apache.org From: Terrence Brannon Subject: setting up virtual hosts Date: Tue, 12 Jul 2005 22:31:18 +0000 Organization: metaperl.com Lines: 58 Message-ID: <6m7jfvr70p.fsf@Abulafia.hcoop.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: hcoop.net User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, linux) Cancel-Lock: sha1:u+GbIvMOTUjrlc3/HSilb5SFNoM= Sender: news X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi, _________________________________________________________________ Background of Problem At our [1]webhosting cooperative, each website is setup in a virtual host like this: ServerName www.livingcosmos.org ErrorLog /var/log/apache/www.livingcosmos.org-error.log CustomLog /var/log/apache/www.livingcosmos.org-access.log combined IndexOptions FancyIndexing FoldersFirst ServerAlias livingcosmos.org ServerAdmin webmaster@livingcosmos.org DocumentRoot /home/terry/public_html/livingcosmos.org Options +Includes +IncludesNOEXEC Alias /pipermail /var/lib/mailman/archives/public AddHandler perl-script .html PerlModule HTML::Mason::ApacheHandler PerlHandler HTML::Mason::ApacheHandler PerlSetVar MasonDataDir /home/terry/public_html/livingcosmos.org/m ason_data User www-data Group www-data Unfortunately, we have been hit by a [2]uselib() privilege elevation exploit. As a result, our sysadmins have decided that any CGI/mod_perl process has to run as a specific user instead of as www-data. At the moment, the sysadmins see no way to run mod_perl such that the mod_perl requests can run as a specific user. Unless I can find a way to have mod_perl processes for each virtual host run as a specific user, we will have mod_perl shutdown. _________________________________________________________________ The Question How can we setup our virtual hosts so that each one runs as a specific Unix user? _________________________________________________________________ Last updated 12-Jul-2005 21:50:04 GMT References 1. http://hcoop.net/ 2. http://packetstorm.rlz.cl/0501-exploits/uselib24.c -- Carter's Compass: I know I'm on the right track when, by deleting something, I'm adding functionality.