question regarding securing web pages on an internal web server

question regarding securing web pages on an internal web server

Post by Robi » Tue, 12 Jun 2001 19:58:31



I have just started using mod_auth to secure various web pages on our
intranet such that not all staff can see all pages.  The issue however is
how to best secure these same files from direct access in unix.  Currently
Apache runs as the user "nobody" which has no special permissions.
Therefore "nobody" can only server up files that have world read access
allowed.  To secure these files in unix, one would normally just tighten the
file permissions on said files and be done with it.  However, if we do this,
"nobody" cannot serve up these files to anyone, even if the user in question
has the proper permissions to view the pages based on mod_auth.  To fix
this, you would think that you could just change Apache to run as another
user (say "apache") with the same permissions as "nobody" but then add this
new user "apache" to the permission groups contolling the secured files.
The problem with this logic is that in our situation where there are lots of
files controlled by different departments, the affect of adding the new user
"apache" to this many groups means the user takes on far more power than one
might like, effectively coming closer to the scenario of runnig Apache as
"root" (which for obvious reasons one
would not want to do!).

What types of workarounds are there to this problem?  I was hoping for
something along the lines of suexec - does such a thing exist?  (As I
understand it, suexec is only for cgi scripts, not html, xls, doc, etc type
files...)  What do most companies do to resolve this situation?

If I have sent my inquiry to the wrong place, please tell me where I should
redirect it to.

Thanks in advance!

-Robin