www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: suexec/946: The "User" directive fails for virtual hosts where the user differs from that for the main server.
Date Sat, 02 Aug 1997 20:20:04 GMT
The following reply was made to PR suexec/946; it has been noted by GNATS.

From: Marc Slemko <marcs@znep.com>
To: Ronny Cook <ronny@tmx.com.au>
Subject: Re: suexec/946: The "User" directive fails for virtual hosts where the user differs
from that for the main server.
Date: Sat, 2 Aug 1997 14:14:38 -0600 (MDT)

 
 On Fri, 1 Aug 1997, Ronny Cook wrote:
 
 > The suexec documentation includes a paragraph which says:
 > ] One way to use suEXEC is through the User and Group directives in
 > ] VirtualHost definitions. By setting these directives to values different
 > ] from the main server user ID, all requests for CGI resources will be
 > ] executed as the User and Group defined for that <VirtualHost>. If only
 > ] one or neither of these directives are specified for a <VirtualHost>
 > ] then the main server userid is assumed.
 > 
 > I took this to mean that I could use "User" and "Group" to enable suexec
 > for particular hosts by compiling suexec to use one particular UID (in our
 > case it's "cgiwrap") then using the User directive to force suexec to work
 > only when a particular virtual host is being accessed. This doesn't work,
 > basically because the *User* directive doesn't work (for virtual hosts). As
 > nearly as I can tell, The User directive doesn't work because requests are
 > farmed out to subservers which are already running under a non-root UID.
 > 
 > It could be a documentation bug rather than a program bug, I suppose, but
 > if so that begs the question of what is the server *supposed* to be doing
 > with the User directive?
 
 No, that is not the way things should work and I don't really see that
 being implied by the above docs.
 
 Apache will never setuid() after its initial change to the user specified
 by the main User directive (if started as root; if not started as root, it
 will never setuid() at all).  To use suexec, suexec _needs_ to be setuid
 root so it can setuid() to the appropriate user.  That is the whole point
 of suexec; Apache does not run as root beacause that is a huge security
 risk, so it can't setuid().  That means suexec is the one that has to do
 that.
 

Mime
View raw message