[lug] apache vhost / php perms

Jason Vallery jason at vallery.net
Wed Apr 16 19:45:04 MDT 2008 

I guess I should have read your whole post before I jumped to this answer
:-)
I just noticed that you mentioned you wanted to avoid this approach for
various reasons.  While anecdotal, I can say that I have not seen any
performance degradation using this approach.  It works great for me.

-J



On Wed, Apr 16, 2008 at 7:36 PM, Jason Vallery <jason at vallery.net> wrote:

> Hi Karl,
> There is a virtual host directive called SuexecUserGroup in Apache 2 (I
> think there might be a module for Apache 1.3).  You can tell Apache to
> execute the scripts as a specified user.  In example, if you add the
> following line to the virtualhost declaration in httpd.conf it will execute
> the script as user 503, group 504:
>
> SuexecUserGroup "#503" "#504"
>
> You can find more at http://httpd.apache.org/docs/2.0/suexec.html
>
> --
> Jason Vallery
> jason at vallery.net
>
> mobile: +1.720.352.8822
> home: +1.303.993.3712
> web: http://vallery.net/
>
>
> On Wed, Apr 16, 2008 at 5:18 PM, karl horlen <horlenkarl at yahoo.com> wrote:
>
> > I've got a lamp server that runs multiple php/mysql based vhosts.  Some
> > document roots of these vhosts are owned by different user accounts.
> >
> > In order to allow apache to execute the php in these individually user
> > owned directories, I simply added each user id to the group 'apache'.  It
> > works fine.
> >
> > However, it's not very secure.  If user A logs in to his account, he can
> > literally add / change / list / copy anything in user B, C, D... 's server
> > root directory because they all share 'apache' group perms.  Not good!
> >
> > Can anyone recommend a bulletproof solution to allow apache the access
> > it needs to exec php from multiple user owned doc roots while preventing
> > different users from tampering with each other's files and dirs?
> >
> > I'd prefer something that's fairly easy to administer as multiple
> > accounts / vhosts are likely to be added and removed from the server.
> >
> > I do know that there is an ExecCGI option.  But i think this seriously
> > degrades performance?  And as silly as this sounds, for some reason I always
> > associate CGI with perl and not php so I'm not even sure this would work
> > with php?
> >
> > Open to any and all solutions.
> >
> > Thanks
> >
> >
> >
> >
> >
> >  ____________________________________________________________________________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile.  Try it now.
> > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
>
>
>
>


-- 
Jason Vallery
jason at vallery.net

mobile: +1.720.352.8822
home: +1.303.993.3712
web: http://vallery.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20080416/b9b88612/attachment.html>

More information about the LUG mailing list