Apache set UID/GID for VirtualHosts?

Apache set UID/GID for VirtualHosts?

Post by Duke » Sat, 15 Feb 2003 07:10:03



Is this possible in any way?  I do not want different VirtualHosts (read:
users) to have access to eachother's files.
 
 
 

Apache set UID/GID for VirtualHosts?

Post by Carsten Gaeble » Sat, 15 Feb 2003 07:40:43



> Is this possible in any way?  I do not want different VirtualHosts (read:
> users) to have access to eachother's files.

http://httpd.apache.org/docs-2.0/mod/perchild.html#assignuserid

cg.

 
 
 

Apache set UID/GID for VirtualHosts?

Post by Duke » Sun, 16 Feb 2003 03:28:35




> > Is this possible in any way?  I do not want different VirtualHosts
(read:
> > users) to have access to eachother's files.

> http://httpd.apache.org/docs-2.0/mod/perchild.html#assignuserid

Thanks.  Too bad it's broken on Linux - even the docs say "This MPM does not
currently work on most platforms." :( . I'm going to need to install a
separate copy of apache/php for each user, joy.
I understand that somebody has to work on it in order to make it work, it's
just surprising to me that such an important thing is left untouched.

P.S.  I built it and got the infamous [emerg] (13)Permission denied:
apr_proc_mutex_lock failed. Attempting to shutdown process gracefully.

 
 
 

Apache set UID/GID for VirtualHosts?

Post by 2Host.com - Rober » Mon, 17 Feb 2003 16:05:57






> > > Is this possible in any way?  I do not want different VirtualHosts
> (read:
> > > users) to have access to eachother's files.

> > http://httpd.apache.org/docs-2.0/mod/perchild.html#assignuserid

> Thanks.  Too bad it's broken on Linux - even the docs say "This MPM does not
> currently work on most platforms." :( . I'm going to need to install a
> separate copy of apache/php for each user, joy.
> I understand that somebody has to work on it in order to make it work, it's
> just surprising to me that such an important thing is left untouched.

> P.S.  I built it and got the infamous [emerg] (13)Permission denied:
> apr_proc_mutex_lock failed. Attempting to shutdown process gracefully.

It should be important, since it allows for different users to all be on
the same shared system. However, unless you are willing to pay someone
to hack the source for a custom solution, that's just on the back
burner. In the meantime, I'd recommend if you care enough about user
security on a shared server, and if you don't have the knowledge or
ability to hack the source to make for these changes, that you enable
SuEXEC for CGI and run PHP as CGI (or hack PHP alone to run as the
UID/GID).

If you run any other modules, you'd have to do the same though. Once you
do this, then any interface runs as the UID or as CGI and uses SuEXEC,
you can set the permissions on the user's home directories to be 710.
Giving the user read, write and execute and the Apache *group* execute
for 'group'. Then other/world has no permission. With the wrapper
effect, you can ensure that any users themselves or any scripts they run
that are a PHP module (or PHP as CGI) and any CGI scripts will run as
their user. This makes it so users can not access each other's
files/directories. It's a decent solution until there's a better
solution, unless you enjoy hacking source code (I know I do).
--
Regards,

Server admin, support & programing for shared & dedicated web servers
Secure, reliable hosting you expect and deserve! http://www.2host.com

 
 
 

1. Running VirtualHosts as Different UID/GID

the zip file: http://www.recalibrate.net/supache.zip

hello people.
I am attempting to modify the apache_1.3.20 source so it would be possible
to run processes for different VirtualHost as different UID/GID.
I would like to ask for some help in doing this from whoever can help since
there is a lot to do.
It would also be nice to know if anybody is looking for something like this,
that is a mod_become does but without the "single request" penalty that
comes with it.
All the relevant changes to the 1.3.20 code are in the zip file; it is not
in the form of a patch (for explanation read the "Excuses" section in the
ReadMe file), but the documentation of what I did is very detailed.

One note to whoever tries to compile it is that I have used this on Linux
2.4. I am using a mechanism which trasfers file descriptors accross
processes and I don't know how portable it is in regard to other unices.
Also, at it present state it is only to demonstrate an idea that I have
regarding on how to tackle this uid/gid issue and not to actually try and
run it with your current configuration. Just to give you an idea - I have
created a special configuration for the test with two name based virtual
hosts with the server listening only on 1 port on whatever IP address it can
bind to and it doesn't even deal with access restrictions (although I
believe there will be no change necessary in order to accomodate for that
since the child should take care of that).

2. Elapsed time in nanosecs

3. Normal for root to be UID 0 GID 0 rather than GID 1 ?

4. Problems with Network Card

5. HPUX - set GID and UID?

6. [2.5.52][USB] USB Device unusable

7. NFS problems with SuSe 7.0 - uid/gid not set correctly

8. Link to compiled XFree86-3.3.6-p3 binaries

9. dir permissions and set uid /gid bits

10. How to recursively set uid and gid

11. Prevent setting 32 uids/gids in the error range

12. set uid & gid programs

13. login not setting uid/gid