The more I watch this thread the more I agree with the people who are advocating selinux. This is really exactly the kind of thing that selinux was designed to handle, and it results in a more, not less, secure system. I realize selinux is slightly scary at first view, but I've found it to be not too bad to work with after a few hours of study.
Dave On Tue, 15 Nov 2011, Alex Aminoff wrote: > > About a decade ago I do recall solving a similar problem by running > apache as root and using some sort of setuid capability such that apache > would become the user in question, and thus have all of their > permissions. This approach was strongly discouraged since it opens up > your system to anyone who can find a security hole in apache. Perhaps it > could be made slightly safer if apache was run inside a chroot jail of > some sort that included homedirs but not the rest of the system? > > Documentation for mod_suid says "thus you have to compile and configure > Apache2 with -DBIG_SECURITY_HOLE option". I chuckled. > > As an alternative to running all of apache as root, you could > setuid-enable just those functions that need to be done by the user. > Still dangerous though. > > - Alex > > _______________________________________________ > bblisa mailing list > [email protected] > http://www.bblisa.org/mailman/listinfo/bblisa > _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
