Date: Tue, 17 Feb 2004 09:30:55 -0800 From: Justin Hopper <jhopper@bsdhosting.net> To: isp@freebsd.org Subject: Re: Apache and home directories (file browser). Message-ID: <1077039055.3523.182.camel@work.gusalmighty.com> In-Reply-To: <20040216231312.GB78809@lewiz.org> References: <HJEELFHCPNPOPDIOMAKBOEDJCDAA.shawnm@iodamedia.net> <2004216225557.966318@juanjo> <20040216231312.GB78809@lewiz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2004-02-16 at 15:13, Lewis Thompson wrote: > On Mon, Feb 16, 2004 at 10:55:57PM +0100, Juan Jose Sanchez Mesa wrote: > > > /home/joe/access_list <--- Access list for Joe's .htaccess > > > files /home/tim/public_html/file_add.php <-- Some script Tim has > > > in his directory > > > > > If you set open_base_dir value to '/home/tim/public_html/', the PHP > > executed in this vhost, can't access any directory/file below it. > > I understand this. However, I don't see that this helps reading/writing > to home directories. I really want home directories to be owned by the > ``correct'' person and not all by the www user. > > Maybe I'm jumping the gun and assuming you are trying to answer my > question when you're not -- sorry if this is the case ;) > > -lewiz. If you are only going to allow access to the webserver through a particular language, such as PHP or CGI, then either suPHP or suexec should work fine to setuid the Apache process to the user while the script is being run. However, if you will be using Apache in a normal fashion, where users can run PHP scripts, CGIs, etc., then you'll want to take a look at something that provides a setuid function higher up in Apache's pipeline. There is the per_child module, which ships with Apache 2.x, but it is still in the "experimental" branch and I've heard that the project was abandoned or has stalled. There is another project that has branched off of it but I cannot recall its name. If you ask on the apache-modules@covalent.net list, there are people who know (probably on this list too). We had a similar need with one of our products and ended up writing our own module that setuid the Apache process to a user that was tied to a virtual host. The process would then handle the request as the specified user, executing PHP, browsing, executing CGIs, etc. The module has so far worked really well and we might be releasing it as Open Source in the near future. -- Justin Hopper <jhopper@bsdhosting.net> UNIX Systems Engineer BSDHosting.net Hosting Division of Digital Oasys Inc. http://www.bsdhosting.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1077039055.3523.182.camel>