From owner-freebsd-questions@FreeBSD.ORG Thu Apr 29 07:22:35 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD66016A4CE for ; Thu, 29 Apr 2004 07:22:35 -0700 (PDT) Received: from www6.web2010.com (www6.web2010.com [216.157.5.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87BBA43D60 for ; Thu, 29 Apr 2004 07:22:35 -0700 (PDT) (envelope-from MLandman@face2interface.com) Received: from delliver.face2interface.com (dialup-wash-129-203.thebiz.net [64.30.129.203] (may be forged)) by www6.web2010.com (8.12.10/8.9.0) with ESMTP id i3TEMDoU010563; Thu, 29 Apr 2004 10:22:15 -0400 (EDT) Message-Id: <6.0.0.22.0.20040429101444.0e68a6a0@pop.face2interface.com> X-Sender: face@pop.face2interface.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 29 Apr 2004 10:22:21 -0400 To: Mikkel Christensen , Peter Risdon From: Marty Landman In-Reply-To: <200404291406.58150.mikkel@talkactive.net> References: <200404262126.36157.mikkel@talkactive.net> <200404291058.44766.mikkel@talkactive.net> <409109D6.2090504@circlesquared.com> <200404291406.58150.mikkel@talkactive.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-questions@freebsd.org Subject: Re: Suexec with Apache 1.3.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 14:22:36 -0000 At 10:06 AM 4/29/2004, Mikkel Christensen wrote: >I have figured it out now. I would call it quite a wierd rule! > >You are not allowed to run suexec in any combination og users you like. That's right, I remember that much from the tutorials I'd read about it. >So, apperently you are only allowed to run suexec as a different user and >group as long as neither of them is the apache user. And so long as the permissions are less than that of root iirc. >Otherwise you can do as you like. IOW suexec should run only as a 'typical' user, which I believe is the point. I think of it in terms of web customers who have high permissions primarily for their own space, and limited to no permissions for the rest of the server's name space. >This seems extremely strange to me. Why is it strange? The reason I kept trying to install suexec was because until I did, the development environment I set up on my LAN could mirror that on my real sites with the exception that all the files & directories had to be given 777 or equivalent permissions. Otherwise with the user running my cgi's being nobody aka www or httpd files couldn't be written to, created, deleted etc.. With the types of web apps I write this was becoming not only a royal pain, also a constant reminder to me that my local environment was as insecure as it could be; of course it's strictly local so not a problem. >But following theese rules it works as it should. With suexec running, a cgi gets set to 744 or 700 instead of 755; a data file e.g. log or count file gets 644 or 600 instead of 666. It's amazing to me that more vandalism and cross site scripting doesn't occur given the servers that still don't run suexec, or the users that aren't hip to using it properly for setting permissions when the server does support it. Marty Marty Landman Face 2 Interface Inc. 845-679-9387 Web Installed Formmailer: http://face2interface.com/Products/Formal.shtml FormATable DB: http://face2interface.com/Products/FormATable.shtml Make a Website: http://face2interface.com/Home/Demo.shtml