Hi,
_________________________________________________________________
Background of Problem
At our [1]webhosting cooperative, each website is setup in a virtual
host like this:
<VirtualHost *>
ServerName www.livingcosmos.org
ErrorLog /var/log/apache/www.livingcosmos.org-error.log
CustomLog /var/log/apache/www.livingcosmos.org-access.log combined
IndexOptions FancyIndexing FoldersFirst
ServerAlias livingcosmos.org
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/terry/public_html/livingcosmos.org
<Location />
Options +Includes +IncludesNOEXEC
</Location>
Alias /pipermail /var/lib/mailman/archives/public
<Location />
AddHandler perl-script .html
PerlModule HTML::Mason::ApacheHandler
PerlHandler HTML::Mason::ApacheHandler
</Location>
PerlSetVar MasonDataDir /home/terry/public_html/livingcosmos.org/m
ason_data
User www-data
Group www-data
</VirtualHost>
Unfortunately, we have been hit by a [2]uselib() privilege elevation
exploit. As a result, our sysadmins have decided that any CGI/mod_perl
process has to run as a specific user instead of as www-data.
At the moment, the sysadmins see no way to run mod_perl such that the
mod_perl requests can run as a specific user. Unless I can find a way
to have mod_perl processes for each virtual host run as a specific
user, we will have mod_perl shutdown.
_________________________________________________________________
The Question
How can we setup our virtual hosts so that each one runs as a specific
Unix user?
_________________________________________________________________
Last updated 12-Jul-2005 21:50:04 GMT
References
1. http://hcoop.net/
2. http://packetstorm.rlz.cl/0501-exploits/uselib24.c
--
Carter's Compass: I know I'm on the right track when,
by deleting something, I'm adding functionality.
