[lug] apache vhost / php perms

Jason Vallery jason at vallery.net
Wed Apr 16 19:36:32 MDT 2008 

Hi Karl,
There is a virtual host directive called SuexecUserGroup in Apache 2 (I
think there might be a module for Apache 1.3).  You can tell Apache to
execute the scripts as a specified user.  In example, if you add the
following line to the virtualhost declaration in httpd.conf it will execute
the script as user 503, group 504:

SuexecUserGroup "#503" "#504"

You can find more at http://httpd.apache.org/docs/2.0/suexec.html

-- 
Jason Vallery
jason at vallery.net

mobile: +1.720.352.8822
home: +1.303.993.3712
web: http://vallery.net/


On Wed, Apr 16, 2008 at 5:18 PM, karl horlen <horlenkarl at yahoo.com> wrote:

> I've got a lamp server that runs multiple php/mysql based vhosts.  Some
> document roots of these vhosts are owned by different user accounts.
>
> In order to allow apache to execute the php in these individually user
> owned directories, I simply added each user id to the group 'apache'.  It
> works fine.
>
> However, it's not very secure.  If user A logs in to his account, he can
> literally add / change / list / copy anything in user B, C, D... 's server
> root directory because they all share 'apache' group perms.  Not good!
>
> Can anyone recommend a bulletproof solution to allow apache the access it
> needs to exec php from multiple user owned doc roots while preventing
> different users from tampering with each other's files and dirs?
>
> I'd prefer something that's fairly easy to administer as multiple accounts
> / vhosts are likely to be added and removed from the server.
>
> I do know that there is an ExecCGI option.  But i think this seriously
> degrades performance?  And as silly as this sounds, for some reason I always
> associate CGI with perl and not php so I'm not even sure this would work
> with php?
>
> Open to any and all solutions.
>
> Thanks
>
>
>
>
>
>  ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20080416/c3bc6942/attachment.html>

More information about the LUG mailing list