apache 2.x, php, virtual / non virtual websites and running under restricted server id questions

apache 2.x, php, virtual / non virtual websites and running under restricted server id questions

Post by gkin » Wed, 05 Jun 2002 00:37:41



I thought that Apache 2 was going to implement the ability to specify
uids to fork child processes as based on user directories at one
point. Today I started reading up on Apache 2 and searching this group
and the only thing I can find is SuExec still. Also virtualhosts dont
support the user directive.

What I am trying to do is setup a safe-mode, apache-php-mysql server
for virtual hosted clients that does not run under a global uid
(nobody for example). But instead will notice the owner of the
directory and fork children based on that ownership (as long as i can
tell it to not do so for root or other priv uids/gids).

This way I can have user and group restrictions setup in PHP.ini to
check for the permissions and it would keep any customer from
uploading some * php code that could be used to attack other local
php sites (since currently the apache daemon runs everything under id
nobody, one hole could potentially deface all sites if they
inadvertently allow group nobody write permissions in their web area).

Needless to say, this server isnt in use yet (just testing) until I
can find a way to do something like this.

Any ideas? Or links to point me in the right direction?

Thanks

 
 
 

apache 2.x, php, virtual / non virtual websites and running under restricted server id questions

Post by gkin » Sat, 08 Jun 2002 00:40:49


Thanks and i do that already. The problem is that I want the apache
server to do something like this and thought it could or was going to
in 2.0:

1. sees a http request for a virtual host
2. determines the vhost is for id=joeuser,
directory=/home/joeuser/html
3. child process is started from apache to handle the request, but the
process now runs under the id of joeuser

Think of cgiwrappers for html directories.

Thanks for the response though.


> I'm not quite sure I follow exactly what you're saying.  If you want to
> have different PHP settings based on user/VHosts then you can set the
> PHP values in the VHost directive in the httpd.conf file.

> That may not be the comprehensive solution you were looking for, though.

> --Matthew


 
 
 

1. how to restrict maximum login attempts for a restricted website in apache server

hello frds...i have configured Basic authentication for intrasite
website which is hosted on apache server...but i asks for
username/password for 'n' number of times....what is the directive for
restricting the maximum logging attempts for a connection..as it
usually does for all the sites at 3....plsss help me friends....

frd,
chetan

2. NIS and Automounter.

3. Apache LogFormat - addition of %v virtual server ID

4. Apache Problem with server-info

5. HP SECURITY BULLETIN #00000

6. Apache executing under Virtual server's owner ID ???

7. what's a wrapper

8. Apache server config for non IP based virtual host

9. Newbie question: Apache 1.1x or 1.2x for non-ip virtual host

10. Question: Running Apache SSL and Apache non-SSL on one server

11. Mixing Apache Name Based Virtual Hosts and SSL Virtual Host

12. Virtual hosts on an server running Apache