RE: Apache and multiple virtual domains
Hi! However, PHP is still run under the webserver's UID, correct? The only workaround is the run PHP in cgi version...? Yes. You need the CGI version I think Because you need to use the suEXEC wrapper, which is bit SUID, to execute programs under other UIDs (not nobody or httpd) hope it helps. cheers marcelo gulin Jason - Original Message - From: Marcelo Gulin [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, April 28, 2001 6:13 PM Subject: RE: Apache and multiple virtual domains Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] http://www.zentek-international.com http://hk.zentek-international.com http://us.zentek-international.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache and multiple virtual domains
hum... However, PHP is still run under the webserver's UID, correct? The only workaround is the run PHP in cgi version...? Jason - Original Message - From: Marcelo Gulin [EMAIL PROTECTED] To: [EMAIL PROTECTED]; debian-isp@lists.debian.org Sent: Saturday, April 28, 2001 6:13 PM Subject: RE: Apache and multiple virtual domains Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] http://www.zentek-international.com http://hk.zentek-international.com http://us.zentek-international.com
RE: Apache and multiple virtual domains
Hi! However, PHP is still run under the webserver's UID, correct? The only workaround is the run PHP in cgi version...? Yes. You need the CGI version I think Because you need to use the suEXEC wrapper, which is bit SUID, to execute programs under other UIDs (not nobody or httpd) hope it helps. cheers marcelo gulin Jason - Original Message - From: Marcelo Gulin [EMAIL PROTECTED] To: [EMAIL PROTECTED]; debian-isp@lists.debian.org Sent: Saturday, April 28, 2001 6:13 PM Subject: RE: Apache and multiple virtual domains Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] http://www.zentek-international.com http://hk.zentek-international.com http://us.zentek-international.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Apache and multiple virtual domains
Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache and multiple virtual domains
On Saturday 28 April 2001 12:13, Marcelo Gulin wrote: You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs My impression is that suEXEC only works for explicit user home directories wheras cgiwrap works with URLs that map to something equating a home directory and then runs them under whichever UID it finds. I'll have to check this more though. Also suEXEC doesn't seem to have any facilities for limiting the CPU usage, memory, etc for processes it runs. cgiwrap has this hard coded but it's still better than nothing. cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: Apache and multiple virtual domains
What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache and multiple virtual domains
What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel
Re: Apache and multiple virtual domains
On Thursday 26 April 2001 18:04, you wrote: Take a look at: http://cgiwrap.unixtools.org/ Thanks for the tip, I've got cgiwrap going now, it does just what I need! On Thursday 26 April 2001 14:03, Andrew Savory wrote: On Thu, 26 Apr, 2001 at 12:21 +0200, Russell Coker wrote: What I want to do is have multiple virtual hosts with each virtual host=20 having a different UID for running CGI-BIN scripts. See http://httpd.apache.org/docs/vhosts/mass.html -- you may be able to do it with standard Apache config directives and possibly a little of mod_rewrite. That page has no mention of how to dynamically chose UID's for accounts. I could possibly make it choose different cgi-bin directories dynamically and have a UID specified for each directory. But then instead of having to change my configuration for each web site I have to change it for each UID (which is just as much pain). Thanks for the suggestion, but it doesn't seem to do what I need. I want the cgi-bin for www.company.com to be run under the company.com account (which will be in LDAP). Then to create a new domain I put the FTP accounts for upload and the cgi-bin account into the LDAP server, upload the content (the FTP server creates the directory automatically) and then it all works! -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: Apache and multiple virtual domains
On Thursday 26 April 2001 14:03, Andrew Savory wrote: On Thu, 26 Apr, 2001 at 12:21 +0200, Russell Coker wrote: What I want to do is have multiple virtual hosts with each virtual host=20 having a different UID for running CGI-BIN scripts. See http://httpd.apache.org/docs/vhosts/mass.html -- you may be able to do it with standard Apache config directives and possibly a little of mod_rewrite. That page has no mention of how to dynamically chose UID's for accounts. I could possibly make it choose different cgi-bin directories dynamically and have a UID specified for each directory. But then instead of having to change my configuration for each web site I have to change it for each UID (which is just as much pain). Thanks for the suggestion, but it doesn't seem to do what I need. I want the cgi-bin for www.company.com to be run under the company.com account (which will be in LDAP). Then to create a new domain I put the FTP accounts for upload and the cgi-bin account into the LDAP server, upload the content (the FTP server creates the directory automatically) and then it all works! -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache and multiple virtual domains
We use sbox, which is sorta like suEXEC, but can put ulimit, processor usage, and disk space usage limits on each script that runs, in addition to running as a particular user. We use mod_rewrite so that the end user just calls their scripts as normal (http://somedomain.com/cgi-bin/myperlscript.cgi), and it actually calls sbox and runs as the owner of the myperlscript.cgi. Works marvelously, and our clients don't even know we're protecting them from themselves. =P It's written by Lincoln Stein (contributing author to WebTechniques and other publications). He's always been very prompt to answer any questions I've had. http://stein.cshl.org/software/sbox/ Eric On Thursday 26 April 2001 14:03, Andrew Savory wrote: On Thu, 26 Apr, 2001 at 12:21 +0200, Russell Coker wrote: What I want to do is have multiple virtual hosts with each virtual host=20 having a different UID for running CGI-BIN scripts. See http://httpd.apache.org/docs/vhosts/mass.html -- you may be able to do it with standard Apache config directives and possibly a little of mod_rewrite. That page has no mention of how to dynamically chose UID's for accounts. I could possibly make it choose different cgi-bin directories dynamically and have a UID specified for each directory. But then instead of having to change my configuration for each web site I have to change it for each UID (which is just as much pain). Thanks for the suggestion, but it doesn't seem to do what I need. I want the cgi-bin for www.company.com to be run under the company.com account (which will be in LDAP). Then to create a new domain I put the FTP accounts for upload and the cgi-bin account into the LDAP server, upload the content (the FTP server creates the directory automatically) and then it all works! -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache and multiple virtual domains
On Thu, 26 Apr, 2001 at 12:21 +0200, Russell Coker wrote: What I want to do is have multiple virtual hosts with each virtual host=20 having a different UID for running CGI-BIN scripts. See http://httpd.apache.org/docs/vhosts/mass.html -- you may be able to do it with standard Apache config directives and possibly a little of mod_rewrite. Andrew. -- All views are my own, who else would want them?
Re: Apache and multiple virtual domains
On Thursday 26 April 2001 14:03, Andrew Savory wrote: On Thu, 26 Apr, 2001 at 12:21 +0200, Russell Coker wrote: What I want to do is have multiple virtual hosts with each virtual host=20 having a different UID for running CGI-BIN scripts. See http://httpd.apache.org/docs/vhosts/mass.html -- you may be able to do it with standard Apache config directives and possibly a little of mod_rewrite. That page has no mention of how to dynamically chose UID's for accounts. I could possibly make it choose different cgi-bin directories dynamically and have a UID specified for each directory. But then instead of having to change my configuration for each web site I have to change it for each UID (which is just as much pain). Thanks for the suggestion, but it doesn't seem to do what I need. I want the cgi-bin for www.company.com to be run under the company.com account (which will be in LDAP). Then to create a new domain I put the FTP accounts for upload and the cgi-bin account into the LDAP server, upload the content (the FTP server creates the directory automatically) and then it all works! -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: Apache and multiple virtual domains
We use sbox, which is sorta like suEXEC, but can put ulimit, processor usage, and disk space usage limits on each script that runs, in addition to running as a particular user. We use mod_rewrite so that the end user just calls their scripts as normal (http://somedomain.com/cgi-bin/myperlscript.cgi), and it actually calls sbox and runs as the owner of the myperlscript.cgi. Works marvelously, and our clients don't even know we're protecting them from themselves. =P It's written by Lincoln Stein (contributing author to WebTechniques and other publications). He's always been very prompt to answer any questions I've had. http://stein.cshl.org/software/sbox/ Eric On Thursday 26 April 2001 14:03, Andrew Savory wrote: On Thu, 26 Apr, 2001 at 12:21 +0200, Russell Coker wrote: What I want to do is have multiple virtual hosts with each virtual host=20 having a different UID for running CGI-BIN scripts. See http://httpd.apache.org/docs/vhosts/mass.html -- you may be able to do it with standard Apache config directives and possibly a little of mod_rewrite. That page has no mention of how to dynamically chose UID's for accounts. I could possibly make it choose different cgi-bin directories dynamically and have a UID specified for each directory. But then instead of having to change my configuration for each web site I have to change it for each UID (which is just as much pain). Thanks for the suggestion, but it doesn't seem to do what I need. I want the cgi-bin for www.company.com to be run under the company.com account (which will be in LDAP). Then to create a new domain I put the FTP accounts for upload and the cgi-bin account into the LDAP server, upload the content (the FTP server creates the directory automatically) and then it all works! -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
