-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello hackers!
I was thinking of creating a more secure environment for running webscripts (mod_php in my case), I want to run php scripts as their owner. I tought of the following scheme's: http://junk.quis.cx/fViKmLRi/apache-user-scheme-p1.png http://junk.quis.cx/bPkxwAbI/apache-user-scheme-p2.png And an setting: ExecutiveUser %n # This should run php scripts as $script-owner ExecutiveUser www-%n # this should run php scripts as www-$scriptowner ExecutiveGroup www ExecutiveGroup www-%n (%n meaning the script-owners username, and eg %u for the script-owners uid) This would (eg) enable me to: [EMAIL PROTECTED]:~# id uid=1000(quis) gid=1000(users) groups=1000(users),10000(www-quis) [EMAIL PROTECTED]:~# id www-quis uid=10000(www-quis) gid=10000(www-quis) groups=10000(www-quis) [EMAIL PROTECTED]:~# chown quis:www-quis public_html [EMAIL PROTECTED]:~# chmod 750 public_html So only 'my' apache-runas user can access my scripts. How do you think about this idea ? It does decrease the performance a bit (Workers should parse the request, put it in some shm, Executive should pick it up from the shm and really run the php-script (See the links above for the terms Worker and Executive) But if the option is not specified it is possible to do it 'the old way'. Would it be possible to implement this as an MPM, or MOD ? (I don't know enough (yet) of apache to say that.) If that is possible there is no loss when it is disabled. - -- Jille Timmermans Ps Feel free to shoot me or my idea, or give suggestions for improving it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkge7vAACgkQacI4LQTe9EXNlACfdvZODF399uuwaDFJrUoTISOO dAcAmQFnPinNwCrpCnUVvxu20wwFmybo =Y2CY -----END PGP SIGNATURE-----
