Apache: User/Group directive in plain httpd.conf and VirtualHost

Apache: User/Group directive in plain httpd.conf and VirtualHost

Post by mich.. » Thu, 30 Mar 2000 04:00:00



Hi,

who knows exactly how Apache deals with the User and Group directives
either plain in the httpd.conf and in a VirtualHost subsection? It seems,
the plain version actually changes the user even for accessing direct
documents to be served by the Apache and especially for modules like
mod_php, but when these directives are set in a VirtualHost section, they
only apply to CGI scripts executed via suExec or CGIwrap? Am I right?

Does anybody know why the User is not even set with seteuid for a
VirtualHost? The server instance still could be reused, because seteuid
is reversible. And yet mod_php and mod_perl would be limited to that
user. It should be easy to prevent seteuid back to the real user-id for
such scripting languages.

Thanks
        Michael

 
 
 

Apache: User/Group directive in plain httpd.conf and VirtualHost

Post by Bill Mosele » Thu, 30 Mar 2000 04:00:00



remarked...

[You news agent seems to be broken.]

Quote:> who knows exactly how Apache deals with the User and Group directives=20=

> either plain in the httpd.conf and in a VirtualHost subsection? It seems=
> ,=20
> the plain version actually changes the user even for accessing direct=20=

> documents to be served by the Apache and especially for modules like=20=

> mod_php, but when these directives are set in a VirtualHost section, the=
> y=20
> only apply to CGI scripts executed via suExec or CGIwrap? Am I right?

You can only use User and Group in Virtual hosts if you have SuExec
installed.  CGIwrap is different as it forces CGI scripts to run with
the user's UID.

--

pls note the one line sig, not counting this one.

 
 
 

Apache: User/Group directive in plain httpd.conf and VirtualHost

Post by Marc Slem » Thu, 30 Mar 2000 04:00:00



>Hi,

>who knows exactly how Apache deals with the User and Group directives
>either plain in the httpd.conf and in a VirtualHost subsection? It seems,
>the plain version actually changes the user even for accessing direct
>documents to be served by the Apache and especially for modules like
>mod_php, but when these directives are set in a VirtualHost section, they
>only apply to CGI scripts executed via suExec or CGIwrap? Am I right?

As the docs say, User and Group directives in virtualhosts only apply
to suexec.

Quote:>Does anybody know why the User is not even set with seteuid for a
>VirtualHost? The server instance still could be reused, because seteuid
>is reversible. And yet mod_php and mod_perl would be limited to that
>user. It should be easy to prevent seteuid back to the real user-id for
>such scripting languages.

Erm... "it should be easy to prevent seteuid".  Lots of things in
this world should be easy.  Like solving world hunger.  Just because
they "should be" doesn't mean they are.  In a language like perl
or php, there are a whole lot of things you can do that are quite
hard to restrict completely.  In addition, if there are any security
holes that may be present to let users execute arbitrary code as
the user the server runs as, that means that they can seteuid()
back whenever they want.

This also means that any hole in Apache leads to a root compromise of
your system.  That isn't very smart.

The reason Apache doesn't offer this is because it simply isn't secure.

 
 
 

1. Default httpd.conf says Expected </VirtualHost> but saw </VirtualHost>

I apologise in advance if this is a stupid newbie question but it has me
stumped.

I've just upgraded from 1.2.6 to 1.3.1 with mod_ssl/SSLeay.

With no changes to the default conf files (which all look fine thanks to
the wonderful configuration script) the server starts fine without SSL
but gives me:

Expected </VirtualHost> but saw </VirtualHost>

with apachectl startssl.

Just for fun I added a virtual host which is setup on our local DNS.

<VirtualHost 203.34.243.10>

DocumentRoot /psci/usr/test
ServerName test.tcp.net.au
ErrorLog logs/test-error_log
TransferLog logs/test-access_log
</VirtualHost>

Now I get the Expected </VirtualHost> without SSL as well.

After being so proud of getting it all installed, I'm back down to
Earth. What have I done?

Thanks for your time,

Phil

2. PPP on demand

3. How to start apache httpd as some other user other than root- User directive

4. terrible Apache performance

5. Apache failed to start with SSLCryptoDevice directive in httpd.conf

6. Video adapter/driver on NetServer LCII (SCO)

7. apache httpd.conf servername overiding virtualhost setting of the same?

8. X-libraries with Slackware 2.30

9. apache httpd.conf VirtualHost: last entry overrides all others

10. User and Group in httpd.conf

11. VirtualHost Directive with NCSA httpd 1.5

12. HTTPd 1.5 dumps core when httpd.conf has "Group #-1"

13. httpd.conf servername overiding virtualhost setting of the same