Date: Tue, 17 Feb 2004 11:24:57 -0500 From: Damian Gerow <damian@sentex.net> To: isp@freebsd.org Subject: Re: Apache and home directories (file browser). Message-ID: <20040217162457.GB59940@sentex.net> In-Reply-To: <Pine.BSF.4.44.0402161724510.53106-100000@thunder.xecu.net> References: <20040216214437.GC65551@lewiz.org> <Pine.BSF.4.44.0402161724510.53106-100000@thunder.xecu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Andy Dills (andy@xecu.net) [16/02/04 17:51]: > > I think this is what I'm looking for, yes. Since I posted this I asked > > some questions on IRC and somebody mentioned that Apache can be chrooted > > to the uid of a script's owner (similar in a way to safe_mode in PHP). > > This would surely then allow files to be read/written by Apache in a > > secure fashion. <snip> > While you can chroot apache, that's serverwide, not per-virtualhost. > > If I were you and I wanted to do what you're talking about, I'd use suexec > with perl scripts. AFAIK, that's the only way to do it correctly. I get the impression that's what was meant, and this is just a confusion of terms. You don't chroot to a uid, you generally 'drop' privileges to a uid. To answer the question.. > > My worry here is that Apache would have to be running as root to > > chroot -- can anybody confirm this for me? (Indeed, can anybody confirm > > that it is even possible to do this?) When you start Apache, you need to start it as root, then it drops privileges to, for later versions of FreeBSD, uid www. If you have suexec set up, I don't know exactly how it works, but it drops privileges from root (who starts httpd) to whichever user suexec is configured to. - Damian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040217162457.GB59940>