On Thu, 25 Oct 2001, Rod Roark wrote: > I did come up with a possible solution. However I'm not sure if it's > complete garbage, mildly useful, or really interesting. That's why > I'm posting here. > > Then, /opt/www/users looks like this: > > drwx--x--x root root . > drwxrwx--- some apache somename_ThisIsASecret > drwxrwx--- another apache anothername_ThisIsAnotherSecret > > You get the idea. Nobody can list the contents of /opt/www/users, > but users can get into their own directory if they know its name.
This does of course restrict them when they're logged on to your machine as themselves... the real problem in all of this, though, is that their CGI scripts and PHP documents and so on all run as the apache user, and the apache user has rights to all of them, meaning that they all can get access to each others' files by simply telling the webserver to do it for them. SuExec fixes this for CGI, but not for PHP and so on. The real solution will come with Apache 2.0 as the "perchild MPM" which allows separate Apache child processes to run under different UIDs. Each child only handles those requests that are for the virtual hosts assigned to it, and it hands off requests for other vhosts to the other children as necessary. This is better than the approach of totally separate instances of httpd since, as you mention, in the totally separate scenario only one can be running on port 80 for a given IP address. --Cliff -------------------------------------------------------------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA
