>Number: 5777 >Category: config >Synopsis: User,Group keywords in <VirtualHost> directive does not change >file access perms >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Feb 18 10:40:00 PST 2000 >Closed-Date: >Last-Modified: >Originator: [EMAIL PROTECTED] >Release: 1.3.11 >Organization: apache >Environment: RH Linux 6.1, Kernel 2.2.14, GCC 2.9.5 >Description: There is no way to lock down the read access to files located in a Virtual Host Document tree, apart from the userid apache is running as. Currently, the only means of having a Virtual Host run as a different user is through the User command in the <VirtualHost> group. However, this does not seem to work, as the Suexec program only switches userid when executing CGI's or SSI's.
For example, I would like Apache to be able to do the following: Run document root website as user 'www'. Run several different virtual hosts as user 'www'. Run a secure webserver (different vhost & DocumentRoot) as user 'secureweb'. DocumentRoot of the secure webserver is set to /usr/local/secureweb. I would like to be able to chown this directory to the uid 'secureweb' and set the chmod to 700 and still be read by Apache because the <VirtualHost> directive has the command 'User secureweb' in it. Right now, I get access denied messages because user 'www' has no access to the tree /usr/local/secureweb. Thanks for reading this report. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
