Date: Mon, 3 May 2004 08:26:29 +0000 From: Mikkel Christensen <mikkel@talkactive.net> To: freebsd-questions@freebsd.org Subject: Re: Suexec with Apache 1.3.29 Message-ID: <200405030826.29984.mikkel@talkactive.net> In-Reply-To: <200404300758.47067.mikkel@talkactive.net> References: <200404262126.36157.mikkel@talkactive.net> <200404291954.04559.mikkel@talkactive.net> <200404300758.47067.mikkel@talkactive.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 30 April 2004 07:58, Mikkel Christensen wrote: > On Thursday 29 April 2004 19:54, Mikkel Christensen wrote: > > On Thursday 29 April 2004 18:20, Marty Landman wrote: > > > At 01:13 PM 4/29/2004, Mikkel Christensen wrote: > > > >On Thursday 29 April 2004 14:22, Marty Landman wrote: > > > That said, the constraint > > > that you point out is imposed by suexec is that the id owning that file > > > must also own all the applications that have any access to that file. > > > Unless you deem fit to make the file world readable, writeable, or executable. > > > > Technically if no other other users tha www itself is member of the www group I find the more sophisticated way of setting permissions you gain would be more important. > > It is my believe that suexec by being too paranoid removes some great configuration options. Some options that I would personally prefer. > > But of course this is my oppinion and i'll bet the people who maintain suexec disagree:) > > > > Hmm may there is a way to get what I want. > If apache's user is add'ed to all the groups that the users are member of this would work. > > Eg. user1 is member of the group user1. > So is the www-user. > > Now setting permissions 644 would give access to everyone. > Setting permissions 640 would deny all other users on the server access to the files. > Setting permissions 600 would completely deny everyone from reading the files. > This is what I wanted from the beginning. Setting www as group owner of the files would be a lot easier in my oppinion than adding the www-user so every user's group. > But it will do. Now I'm happy:-) > Hmm not that happy after all. The concept of making the apache user member of many groupt works fine to begin with. But when the number of memberships apache has exceeds a certain number it refuses to start. The number of memberships is not specific but lies around 15-25. Lines like theese are written multiple times (usually about 10 times) to the apache error log: [Mon May 3 10:13:29 2004] [alert] (22)Invalid argument: initgroups: unable to set groups for User www and Group 80 Then these lines follows: [Mon May 3 10:13:29 2004] [notice] Apache/1.3.29 (Unix) PHP/4.3.4 configured -- resuming normal operations [Mon May 3 10:13:29 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/local/sbin/suexec) [Mon May 3 10:13:29 2004] [notice] Accept mutex: flock (Default: flock) [Mon May 3 10:13:29 2004] [alert] Child 51086 returned a Fatal error... Apache is exiting! My test setup is FreeBSD 5.2.1 and Apache 1.3.29 with suexec. I guess this might be an issue for an Apache mailinglist unless initgroups is part of the FreeBSD system. Does anyone know this? - Mikkel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405030826.29984.mikkel>