From owner-freebsd-questions  Thu Nov 15  4: 9:30 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5641037B405; Thu, 15 Nov 2001 04:09:26 -0800 (PST)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Thu, 15 Nov 2001 12:09:15 +0000
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 164LHp-0006Bk-00;
          Thu, 15 Nov 2001 12:06:29 +0000
Date: Thu, 15 Nov 2001 12:06:29 +0000 (GMT)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender:  <cmjg@mail.ilrt.bris.ac.uk>
To: Dmitry Mottl <dima@sinp.msu.ru>
Cc: freebsd-questions <freebsd-questions@FreeBSD.org>,
	freebsd-security <freebsd-security@FreeBSD.org>
Subject: Re: Apache question
In-Reply-To: <3BF3A166.2090009@sinp.msu.ru>
Message-ID: <Pine.GSO.4.31.0111151203320.26038-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, 15 Nov 2001, Dmitry Mottl wrote:

> Hi, All
>
> I have to configure www virtual hosts under Apache
> and I need that all virtual hosts have NO access (through cgi execution) to each
> other.
>
> Is it good to start up proxy on 80 and
> about 100-300 backend httpd (each under it's own uid and gid),
> which will be paged in (from swap) if connection is requested.
>
> Is there a better solution?
>
> It seems that suexec apache mechanism will no help,
> cause I have to give hosters GID to access there files,
> so I can't specify properly permissions due to UNIX file security (uuugggooo).
> In this case I need to choose if GID=wwwguest or GID=hoster
>
> May be to set up a patch to use UFS extended attributes? (www.trustedbsd.org)
> I'm using FreeBSD 4.4-RELEASE

This is an interesting problem, certainly; as you point out, the httpd
process owner/group needs to be able to view files in all virtual hosts;
CGI scripts in each must not.

I'd say you should be able to do this with a combination of suExec
(with a different uid/gid for each virtual host) - although it might
need tinkering with to get the directory restrictions it needs correct -
and ACLs on the top of each virtual host's cgi-bin.


-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
and Nostradamus never dreamed of the Church of the Accellerated Worm


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message