From owner-freebsd-isp@FreeBSD.ORG  Mon Feb 16 14:31:17 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C6BF416A4CE
	for <isp@freebsd.org>; Mon, 16 Feb 2004 14:31:17 -0800 (PST)
Received: from mg3.xecu.net (mg3.xecu.net [216.127.136.203])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B04A143D1F
	for <isp@freebsd.org>; Mon, 16 Feb 2004 14:31:17 -0800 (PST)
	(envelope-from andy@xecu.net)
Received: by mg3.xecu.net (Postfix, from userid 1003)
	id 738AF3DA350; Mon, 16 Feb 2004 17:31:16 -0500 (EST)
Received: from thunder.xecu.net (thunder.xecu.net [216.127.136.208])
	by mg3.xecu.net (Postfix) with ESMTP
	id 203243DA7FF; Mon, 16 Feb 2004 17:31:16 -0500 (EST)
Date: Mon, 16 Feb 2004 17:31:13 -0500 (EST)
From: Andy Dills <andy@xecu.net>
To: Lewis Thompson <purple@lewiz.net>
In-Reply-To: <20040216214437.GC65551@lewiz.org>
Message-ID: <Pine.BSF.4.44.0402161724510.53106-100000@thunder.xecu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: isp@freebsd.org
Subject: Re: Apache and home directories (file browser).
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2004 22:31:17 -0000

On Mon, 16 Feb 2004, Lewis Thompson wrote:

> I think this is what I'm looking for, yes.  Since I posted this I asked
> some questions on IRC and somebody mentioned that Apache can be chrooted
> to the uid of a script's owner (similar in a way to safe_mode in PHP).
> This would surely then allow files to be read/written by Apache in a
> secure fashion.
>
>   My worry here is that Apache would have to be running as root to
> chroot -- can anybody confirm this for me?  (Indeed, can anybody confirm
> that it is even possible to do this?)

While you can chroot apache, that's serverwide, not per-virtualhost.

If I were you and I wanted to do what you're talking about, I'd use suexec
with perl scripts. AFAIK, that's the only way to do it correctly.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---