Hello, I already discussed this subject on the list. There were several possible solutions for this subject and I have chosen one, I would like to present now.
The problem: I have several vhosts, which are used by several people. The Apache is running with $UID 67. Users can access the system by using scponly, which is jailed into /var/www. No problem here so far. This issue was, that all scripts must be readable or even writeable for the Apache Webserver. So one hacked page could damage other vhosts by writing some PHP code to access the other vhosts within /var/www. My solution: 1. I made SuExec working within the chroot environment. (http://www.openbsdsupport.org/ApacheSuexecChroot.html) 2. I wrote a patch for suexec.c to handle *.php correctly. (http://files.haeckser.net/haeckser.net/suexec.patch) 3. I compiled PHP by my own with CGI-support and moved the binary into the chroot. 4. I removed mod_php and mod_perl and set the Apache directives "User", "Group", "AddHandler cgi-script" and "Options +ExecCGI". Now, every PHP-script has the permissions 700 and gets executed with its own $UID. I feel much better now. :) Bye, Aiko -- Aiko Barz <[EMAIL PROTECTED]> Web: http://www.haeckser.de
