[EMAIL PROTECTED] & [EMAIL PROTECTED]: I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to enable user ~/public_html directories, but have two security goals which I cannot solve simultaneously:
1. Apache should run as the user when reading user pages and running user CGI scripts. 2. User home directories should not allow group or world access. Using the default Debian configuration, placing content into /home/dpchrist/public_html and browsing to http://192.168.254.2/~dpchrist/ works just fine. Enabling per-user ~/public_html/cgi-bin directories in httpd.conf and invoking "whoami" from a CGI script in /home/dpchrist/public_html/cgi-bin reports "dpchrist", confirming that goal #1 is met (I'm not sure of the mechanics, but assume that Apache is making seteuid() and setegid() system calls at some point before processing the CGI script). However, the default Debian home directory permissions are 755, failing goal #2. When I change my home directory permissions to 700 to meet goal #2, Apache fails with "Forbidden You don't have permission to access /~dpchrist/ on this server. Apache/1.3.26 Server at 192.168.254.2 Port 80". I don't understand why Apache cannot access my files and folders when running as my userid. Does anybody know the explanation? Does anyone know how to meet both goals simultaneously? TIA, David [EMAIL PROTECTED]:~/d3020g/etc/apache# grep -v '^ *#' httpd.conf | grep -v '^$' ServerType standalone ServerRoot /etc/apache LockFile /var/lock/apache.lock PidFile /var/run/apache.pid ScoreBoardFile /var/run/apache.scoreboard Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 MinSpareServers 5 MaxSpareServers 10 StartServers 5 MaxClients 150 MaxRequestsPerChild 100 LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config.so LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config_ssl.so LoadModule mime_magic_module /usr/lib/apache/1.3/mod_mime_magic.so LoadModule mime_module /usr/lib/apache/1.3/mod_mime.so LoadModule mime_module /usr/lib/apache/1.3/mod_mime_ssl.so LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so LoadModule status_module /usr/lib/apache/1.3/mod_status.so LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so LoadModule alias_module /usr/lib/apache/1.3/mod_alias.so LoadModule rewrite_module /usr/lib/apache/1.3/mod_rewrite.so LoadModule access_module /usr/lib/apache/1.3/mod_access.so LoadModule auth_module /usr/lib/apache/1.3/mod_auth.so LoadModule expires_module /usr/lib/apache/1.3/mod_expires.so LoadModule unique_id_module /usr/lib/apache/1.3/mod_unique_id.so LoadModule setenvif_module /usr/lib/apache/1.3/mod_setenvif.so ExtendedStatus On Port 80 User www-data Group www-data ServerAdmin [EMAIL PROTECTED] ServerName 192.168.254.2 DocumentRoot /var/www <Directory /> Options SymLinksIfOwnerMatch AllowOverride None </Directory> <Directory /var/www/> Options Indexes Includes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all </Directory> <IfModule mod_userdir.c> UserDir public_html </IfModule> <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS PROPFIND> Order allow,deny Allow from all </Limit> <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Order deny,allow Deny from all </Limit> </Directory> <Directory /home/*/public_html/cgi-bin> Options +ExecCGI </Directory> <IfModule mod_dir.c> DirectoryIndex index.html index.htm index.shtml index.cgi </IfModule> AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> UseCanonicalName On TypesConfig /etc/mime.types DefaultType text/plain <IfModule mod_mime_magic.c> MIMEMagicFile share/magic </IfModule> HostnameLookups Off ErrorLog /var/log/apache/error.log LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v" f ull LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %P %T" d ebug LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combine d LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent CustomLog /var/log/apache/access.log combined ServerSignature On Alias /icons/ /usr/share/apache/icons/ <Directory /usr/share/apache/icons> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory /usr/lib/cgi-bin/> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> <IfModule mod_autoindex.c> IndexOptions FancyIndexing NameWidth=* AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/deb.gif .deb AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ DefaultIcon /icons/unknown.gif ReadmeName README HeaderName HEADER IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t </IfModule> <IfModule mod_mime.c> AddEncoding x-compress Z AddEncoding x-gzip gz tgz AddLanguage da .dk AddLanguage nl .nl AddLanguage en .en AddLanguage et .ee AddLanguage fr .fr AddLanguage de .de AddLanguage el .el AddLanguage it .it AddLanguage ja .ja AddCharset ISO-2022-JP .jis AddLanguage pl .po AddCharset ISO-8859-2 .iso-pl AddLanguage pt .pt AddLanguage pt-br .pt-br AddLanguage ltz .lu AddLanguage ca .ca AddLanguage es .es AddLanguage sv .se AddLanguage cz .cz <IfModule mod_negotiation.c> LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca es sv </IfModule> AddType application/x-tar .tgz AddType image/bmp .bmp AddType text/x-hdml .hdml AddHandler cgi-script .pl </IfModule> AddDefaultCharset on <IfModule mod_setenvif.c> BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 </IfModule> <IfModule mod_perl.c> Alias /perl/ /var/www/perl/ <Location /perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Location> </IfModule> Alias /doc/ /usr/share/doc/ <Location /doc> order deny,allow deny from all allow from 127.0.0.0/255.0.0.0 Options Indexes FollowSymLinks MultiViews </Location> <IfModule mod_proxy.c> </IfModule> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]