Hi Okay, I read the words, but I'm not sure that I fully understand the solution - correct me if I'm wrong:
I configure apache with virtual hosts, this in the httpd.conf: NameVirtualHost 192.168.0.3:80 NameVirtualHost 192.168.0.3:4555 <VirtualHost 192.168.0.3:80> ServerName www.domain.ext DocumentRoot /www/domain </VirtualHost> <VirtualHost 192.168.0.3:4555> ServerName admin.domain.ext DocumentRoot /www/admin SuexecUserGroup admin.admin </VirtualHost> As mentioned previously, suexec -V gives: -D AP_DOC_ROOT="/var/www" -D AP_GID_MIN=500 -D AP_HTTPD_USER="apache" -D AP_LOG_EXEC="/var/log/httpd/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX="public_html" so the user and group admin would be uid & gid > 500 and the binaries would all need to be located in the /usr/local/bin, /usr/bin or /bin directories. Am I missing anything? (apart from my mind, that went long ago!!) On 16 Jun 2003 at 23:08, drieux wrote: > > On Monday, Jun 16, 2003, at 03:11 US/Pacific, Eugene Geldenhuys wrote: > [..] > Thanks for the advice > > I have looked at the items you > mentioned - details in body of reply [..] > > will someone remind the drieux to have coffee, > I think the problem could well be the imfamous > problem of binding processes to well named ports, > eg ones below 1024, and as such the actual 'binary' > code will need to bet setgid - eg: 4555 - so that > it can be run initially by a 'root' process that > will allow it to bind to the port, setgid(), > then setuid() and THEN fork itself into the background. > > I normally run Virtual Hosts on ports above 1024 so > that I do not run into this problem. Or if I am > rigging apache to be a 'stand alone' - then I just > define the user/group values to be running as the > uid/gid that is required... in that case I totally > avoid the whole suexec() problem in most cases, since > the httpd daemons are already forked out as the require > uid/gid.... > > ciao > drieux > > --- > > More Dumb Things to NOT CODE! > > do not setuid() to a non-privilaged user > if you need to call setgid()... even if all > the oldGuys say 'setuid(), setgid()', that's because > they are pushing the values onto a mental stack > for them to pop off later.... > Best Regards Eugene Geldenhuys MCNE ECNE MCSE MCP TFX SOLUTIONS - PROFESSIONAL NETWORK DESIGN ,IMPLEMENTATION AND SUPPORT -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
