Re: Default Apache install not fit for multiple domains/users
Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... On 9 Jun 2003 at 17:59, Jon wrote: On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) The binfmt_misc kernel module is included in the stock Debian kernels, AFAIK. There is a nice package, binfmt-support (ala update-alternatives) that allows one to easily configure binfmt_misc: Package: binfmt-support Support for extra binary formats The binfmt_misc kernel module, contained in versions 2.1.43 and later of the Linux kernel, allows system administrators to register interpreters for various binary formats based on a magic number or their file extension, and cause the appropriate interpreter to be invoked whenever a matching file is executed. Think of it as a more flexible version of the #! executable interpreter mechanism. This package provides an 'update-binfmts' script with which package maintainers can register interpreters to be used with this module without having to worry about writing their own init.d scripts, and which sysadmins can use for a slightly higher-level interface to this module. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
On Tue, 2003-06-10 at 08:24, Stefan Neufeind wrote: Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... Unfortunately, yes. Otherwise you'll get a 500 Internal Server Error or the likes. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Tue, 10 Jun 2003 at 05:24:59PM +0200, Stefan Neufeind wrote: Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... They will be being treated like a normal binary file, so yes (that is, if you want yours scripts to work). If on the other hand, you don't want your sk|pt5 to work then you don't need to set the execute bit G. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #67: Typo in the code -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... On 9 Jun 2003 at 17:59, Jon wrote: On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) The binfmt_misc kernel module is included in the stock Debian kernels, AFAIK. There is a nice package, binfmt-support (ala update-alternatives) that allows one to easily configure binfmt_misc: Package: binfmt-support Support for extra binary formats The binfmt_misc kernel module, contained in versions 2.1.43 and later of the Linux kernel, allows system administrators to register interpreters for various binary formats based on a magic number or their file extension, and cause the appropriate interpreter to be invoked whenever a matching file is executed. Think of it as a more flexible version of the #! executable interpreter mechanism. This package provides an 'update-binfmts' script with which package maintainers can register interpreters to be used with this module without having to worry about writing their own init.d scripts, and which sysadmins can use for a slightly higher-level interface to this module.
Re: Default Apache install not fit for multiple domains/users
On Tue, 2003-06-10 at 08:24, Stefan Neufeind wrote: Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... Unfortunately, yes. Otherwise you'll get a 500 Internal Server Error or the likes. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Tue, 10 Jun 2003 at 05:24:59PM +0200, Stefan Neufeind wrote: Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... They will be being treated like a normal binary file, so yes (that is, if you want yours scripts to work). If on the other hand, you don't want your sk|pt5 to work then you don't need to set the execute bit G. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #67: Typo in the code
Re: Default Apache install not fit for multiple domains/users
But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
On Mon, 09 Jun 2003 at 05:02:41PM +0200, Stefan Neufeind wrote: does it work without problems with php? if you use as cgi-variant? Think I tried this some time ago and ran into some probllems. Does it work for your setup? How? Here is the caviot: the O/S does not recognize extensions. To solve this problem: 1. Include a SHEBANG line on line 1 of your script (#!/bin/interpreter). OR 2. Compile your kernel for MISC Binary support and tell the O/S that all applications ending in .php should be interpreted by a given interpreter. 2 is likely the cleanest implementation if you have existing scripts. Let me know if you have problems with the misc binary. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #165: Quantum dynamics are affecting the transistors pgp0.pgp Description: PGP signature
Re: Default Apache install not fit for multiple domains/users
On Mon, 09 Jun 2003 at 04:59:10PM +0200, Stefan Neufeind wrote: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). You use suexec, php*-cgi, and MISC Binary support (Kernel) to associate .php files to /usr/bin/php*-cgi. See my other post today on this topic for more details. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #85: IRQ dropout -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 07:59, Stefan Neufeind wrote: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). There *are* issues with running suExec + php. First, php must be run as a cgi - you can't use mod_php. This introduces performance issues, since mod_php is much faster than a executing a standalone php interperter for each page requested. Next, you have to decide whether you want to have the interperter executable inside or outside the web root. Outside is safer - but then your scripts have to have #!/path/to/php at the top - although there are ways around that too. Google has some success stories where people managed to get it to work. - Jon On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
Stefan Neufeind [EMAIL PROTECTED] writes: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). You do if you use php scripts that are parsed by the server itself. You can use php cgi scripts with suexec without any problems. On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Ted Cabeen Systems/Network Administrator Impulse Internet Services -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? On 9 Jun 2003 at 11:02, Ted Cabeen wrote: Stefan Neufeind [EMAIL PROTECTED] writes: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). You do if you use php scripts that are parsed by the server itself. You can use php cgi scripts with suexec without any problems. On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #111: Because of network lag due to too many people playing deathmatch -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5SYOS3Jybf3L5MQRAtVvAJ43RngBKx7bgSmoDZDpHtHmHe6wvwCeOe2b RmOd6pskrEmnE5qEV1xTj9E= =c2hF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) The binfmt_misc kernel module is included in the stock Debian kernels, AFAIK. There is a nice package, binfmt-support (ala update-alternatives) that allows one to easily configure binfmt_misc: Package: binfmt-support Support for extra binary formats The binfmt_misc kernel module, contained in versions 2.1.43 and later of the Linux kernel, allows system administrators to register interpreters for various binary formats based on a magic number or their file extension, and cause the appropriate interpreter to be invoked whenever a matching file is executed. Think of it as a more flexible version of the #! executable interpreter mechanism. This package provides an 'update-binfmts' script with which package maintainers can register interpreters to be used with this module without having to worry about writing their own init.d scripts, and which sysadmins can use for a slightly higher-level interface to this module. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want.
Re: Default Apache install not fit for multiple domains/users
On Mon, 09 Jun 2003 at 05:02:41PM +0200, Stefan Neufeind wrote: does it work without problems with php? if you use as cgi-variant? Think I tried this some time ago and ran into some probllems. Does it work for your setup? How? Here is the caviot: the O/S does not recognize extensions. To solve this problem: 1. Include a SHEBANG line on line 1 of your script (#!/bin/interpreter). OR 2. Compile your kernel for MISC Binary support and tell the O/S that all applications ending in .php should be interpreted by a given interpreter. 2 is likely the cleanest implementation if you have existing scripts. Let me know if you have problems with the misc binary. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #165: Quantum dynamics are affecting the transistors pgpWZQ4BSb9vy.pgp Description: PGP signature
Re: Default Apache install not fit for multiple domains/users
On Mon, 09 Jun 2003 at 04:59:10PM +0200, Stefan Neufeind wrote: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). You use suexec, php*-cgi, and MISC Binary support (Kernel) to associate .php files to /usr/bin/php*-cgi. See my other post today on this topic for more details. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #85: IRQ dropout
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 07:59, Stefan Neufeind wrote: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). There *are* issues with running suExec + php. First, php must be run as a cgi - you can't use mod_php. This introduces performance issues, since mod_php is much faster than a executing a standalone php interperter for each page requested. Next, you have to decide whether you want to have the interperter executable inside or outside the web root. Outside is safer - but then your scripts have to have #!/path/to/php at the top - although there are ways around that too. Google has some success stories where people managed to get it to work. - Jon On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
Stefan Neufeind [EMAIL PROTECTED] writes: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). You do if you use php scripts that are parsed by the server itself. You can use php cgi scripts with suexec without any problems. On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Ted Cabeen Systems/Network Administrator Impulse Internet Services
Re: Default Apache install not fit for multiple domains/users
But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? On 9 Jun 2003 at 11:02, Ted Cabeen wrote: Stefan Neufeind [EMAIL PROTECTED] writes: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). You do if you use php scripts that are parsed by the server itself. You can use php cgi scripts with suexec without any problems. On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want.
Re: Default Apache install not fit for multiple domains/users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #111: Because of network lag due to too many people playing deathmatch -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5SYOS3Jybf3L5MQRAtVvAJ43RngBKx7bgSmoDZDpHtHmHe6wvwCeOe2b RmOd6pskrEmnE5qEV1xTj9E= =c2hF -END PGP SIGNATURE-
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) The binfmt_misc kernel module is included in the stock Debian kernels, AFAIK. There is a nice package, binfmt-support (ala update-alternatives) that allows one to easily configure binfmt_misc: Package: binfmt-support Support for extra binary formats The binfmt_misc kernel module, contained in versions 2.1.43 and later of the Linux kernel, allows system administrators to register interpreters for various binary formats based on a magic number or their file extension, and cause the appropriate interpreter to be invoked whenever a matching file is executed. Think of it as a more flexible version of the #! executable interpreter mechanism. This package provides an 'update-binfmts' script with which package maintainers can register interpreters to be used with this module without having to worry about writing their own init.d scripts, and which sysadmins can use for a slightly higher-level interface to this module. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Fri, 06 Jun 2003 at 05:06:20PM -0700, Wade Richards wrote: I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. suEXEC and php(3|4)-cgi... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #177: I'm not sure. Try calling the Internet's head office -- it's in the book. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
I want to enable some friends of mine to host their web pages on my woody server. It has Apache LAMP running in great shape and it suits my Web page just fine. The Problem that I have now is, that the apache user is www-data. Well, I guessed I could just change the user permissions on the /var/www/path.to.site directories to the respective user names, but that doesnt do the trick, because then, all write permissions for cgi scripts for these diretories are gone, as they no longer belong to www-data. maybe you can try what i've used , which basically is : #1 - mod_diffprivs http://sourceforge.net/projects/moddiffprivs/ this apache module enables apache to switch uid/gid when serving virtual hosts . each virtual host is effectively served as the owner . take for example this vhost snippet : VirtualHost * DocumentRoot -(removed)- ServerName gum.doubleukay.com Privs hata hata PrivsGroups On /VirtualHost when a request is sent for gum.doubleukay.com , its php/cgi scripts will create/read files and execute commands as user hata and group hata . #2 - ERUP (enhanced regular user privileges) http://www.wijata.com/erup and this one lets me grant the apache user (www-data) privilege to perform uid/gid switching , so that i dont have to run apache as root . there's a few performance-related issues with the above setup though . HTTP keepalives and pipelining have to be disabled because once an apache child switches uid , it cant switch back to www-data and serve subsequent requests . the clients would notice a definite 'lag' in page loading as a new connection would have to be open to the http server for each element . the server would also undergo load problems as new children would have to be forked for each http request . however , there is a way to reduce this problem :) regards, wK (www.doubleukay.com)
Re: Default Apache install not fit for multiple domains/users
Woon Wai Keen @ doubleukay.com wrote: maybe you can try what i've used , which basically is : #1 - mod_diffprivs Wow, this is really exciting! Thank you very much! I immediately downloaded and compiled it. Now my httpd.conf looks like this: VirtualHost x.x.x.x ServerAdmin [EMAIL PROTECTED] ServerName domain.de ErrorLog /var/www/domain.de/log/domain_de-error.log CustomLog /var/www/domain.de/log/domain_de-access.log full Privs tag users /var/www/domain.de DocumentRoot /html ScriptAlias /cgi-bin/ /html/cgi-bin/ PrivsGroups On /VirtualHost The problem i have now, with this setup, is that i obviously can't run apache as a user. Something is enforcing it to run above a guid limit of 1000. This is the message I get whet I do a /etc/init.d/apache restart: Syntax error on line 1025 of /etc/apache/httpd.conf: Miminal allowed gid is 1000, but used 100 for users failed What can I do about this? Your Truly, Toni
Re: Default Apache install not fit for multiple domains/users
Woon Wai Keen @ doubleukay.com wrote: #2 - ERUP (enhanced regular user privileges) http://www.wijata.com/erup and this one lets me grant the apache user (www-data) privilege to perform uid/gid switching , so that i dont have to run apache as root . Ahnow I understand. First I thought this was meant as an alternative to diffprivs, but it seems to be essential to use it with it. I will try this too. Please ignore my previous post. Yours Truly, Toni
Re: Default Apache install not fit for multiple domains/users
On Fri, 06 Jun 2003 at 05:06:20PM -0700, Wade Richards wrote: I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. suEXEC and php(3|4)-cgi... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #177: I'm not sure. Try calling the Internet's head office -- it's in the book.
Default Apache install not fit for multiple domains/users
Okay, I already posted this message to debian-users, but please don't flame me - i just figured that maybe debian-security is the better place to post a request for help like this. Clearly enough this is a security concern, after all. So maybe you could be so kind and help me out on this one: I want to enable some friends of mine to host their web pages on my woody server. It has Apache LAMP running in great shape and it suits my Web page just fine. The Problem that I have now is, that the apache user is www-data. Well, I guessed I could just change the user permissions on the /var/www/path.to.site directories to the respective user names, but that doesnt do the trick, because then, all write permissions for cgi scripts for these diretories are gone, as they no longer belong to www-data. Nevertheless I just want my friends to stop go poking around in foreign web sites, and at the same time have access to perl/php scripting.Where do I go from here? I am not a particularly guru-like administrator, so I am a bit afraid of using setuid. After all I do not even know, if that would do the trick. All help is really, really appreciated very much. P.S.: I googled quite thoroughly, but couldn't get anywhere near my problem. Maybe I just used the wrong words, because I can't believe I am the only one with this problem Yours Truly, Toni -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
Is there some reason why you can't give each user an account and have them put their files in ~/public_html? That would have their page show up at domain.net/~username/. Sorry if you already knew this and I'm misunderstanding the problem. On Sat, 07 Jun 2003 00:03:59 +0200 Juan Antonio Agudo [EMAIL PROTECTED] wrote: Okay, I already posted this message to debian-users, but please don't flame me - i just figured that maybe debian-security is the better place to post a request for help like this. Clearly enough this is a security concern, after all. So maybe you could be so kind and help me out on this one: I want to enable some friends of mine to host their web pages on my woody server. It has Apache LAMP running in great shape and it suits my Web page just fine. The Problem that I have now is, that the apache user is www-data. Well, I guessed I could just change the user permissions on the /var/www/path.to.site directories to the respective user names, but that doesnt do the trick, because then, all write permissions for cgi scripts for these diretories are gone, as they no longer belong to www-data. Nevertheless I just want my friends to stop go poking around in foreign web sites, and at the same time have access to perl/php scripting.Where do I go from here? I am not a particularly guru-like administrator, so I am a bit afraid of using setuid. After all I do not even know, if that would do the trick. All help is really, really appreciated very much. P.S.: I googled quite thoroughly, but couldn't get anywhere near my problem. Maybe I just used the wrong words, because I can't believe I am the only one with this problem Yours Truly, Toni -- Tim Cunningham I'm not claiming to be deep, I'm claiming to do it for fun. - Linus Torvalds pgp0.pgp Description: PGP signature
Re: Default Apache install not fit for multiple domains/users
Hi, On Sat, 07 Jun 2003 00:03:59 +0200, Juan Antonio Agudo writes: I want to enable some friends of mine to host their web pages on my woody server. It has Apache LAMP running in great shape and it suits my Web page just fine. The Problem that I have now is, that the apache user is www-data. Well, I guessed I could just change the user permissions on the /var/www/path.to.site directories to the respective user names, but that doesnt do the trick, because then, all write permissions for cgi scripts for these diretories are gone, as they no longer belong to www-data. There's no need to let the users have access to anything under /var/www. Personally, I would let each user use the personal directory feature of Apache. I don't recall the exact directives to enable it (but it's enabled by default, so if you didn't turn it off, it's there). If a client accesses http://your.domain.com/~foobar/index.html;, then Apache will get the file from /home/foobar/public_html/index.html (i.e. everything under the ~foobar URL comes from the public_html subdirectory of the foobar user's home directory. Each user can create a .htaccess file in their public_html directory to override the global settings. Each user can have their own public_access/cgi-bin directory (you may need to enable scripting from this directory either in your global httpd.conf or from that user's .htacces file). Finally, if you don't want the ugly ~foobar in the names, you should be able to use an alias in the global httpd.conf to get rid of it. --- Wade -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. --- Wade -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Default Apache install not fit for multiple domains/users
Okay, I already posted this message to debian-users, but please don't flame me - i just figured that maybe debian-security is the better place to post a request for help like this. Clearly enough this is a security concern, after all. So maybe you could be so kind and help me out on this one: I want to enable some friends of mine to host their web pages on my woody server. It has Apache LAMP running in great shape and it suits my Web page just fine. The Problem that I have now is, that the apache user is www-data. Well, I guessed I could just change the user permissions on the /var/www/path.to.site directories to the respective user names, but that doesnt do the trick, because then, all write permissions for cgi scripts for these diretories are gone, as they no longer belong to www-data. Nevertheless I just want my friends to stop go poking around in foreign web sites, and at the same time have access to perl/php scripting.Where do I go from here? I am not a particularly guru-like administrator, so I am a bit afraid of using setuid. After all I do not even know, if that would do the trick. All help is really, really appreciated very much. P.S.: I googled quite thoroughly, but couldn't get anywhere near my problem. Maybe I just used the wrong words, because I can't believe I am the only one with this problem Yours Truly, Toni
Re: Default Apache install not fit for multiple domains/users
Is there some reason why you can't give each user an account and have them put their files in ~/public_html? That would have their page show up at domain.net/~username/. Sorry if you already knew this and I'm misunderstanding the problem. On Sat, 07 Jun 2003 00:03:59 +0200 Juan Antonio Agudo [EMAIL PROTECTED] wrote: Okay, I already posted this message to debian-users, but please don't flame me - i just figured that maybe debian-security is the better place to post a request for help like this. Clearly enough this is a security concern, after all. So maybe you could be so kind and help me out on this one: I want to enable some friends of mine to host their web pages on my woody server. It has Apache LAMP running in great shape and it suits my Web page just fine. The Problem that I have now is, that the apache user is www-data. Well, I guessed I could just change the user permissions on the /var/www/path.to.site directories to the respective user names, but that doesnt do the trick, because then, all write permissions for cgi scripts for these diretories are gone, as they no longer belong to www-data. Nevertheless I just want my friends to stop go poking around in foreign web sites, and at the same time have access to perl/php scripting.Where do I go from here? I am not a particularly guru-like administrator, so I am a bit afraid of using setuid. After all I do not even know, if that would do the trick. All help is really, really appreciated very much. P.S.: I googled quite thoroughly, but couldn't get anywhere near my problem. Maybe I just used the wrong words, because I can't believe I am the only one with this problem Yours Truly, Toni -- Tim Cunningham I'm not claiming to be deep, I'm claiming to do it for fun. - Linus Torvalds pgphDC4NTR8kP.pgp Description: PGP signature
Re: Default Apache install not fit for multiple domains/users
Hi, On Sat, 07 Jun 2003 00:03:59 +0200, Juan Antonio Agudo writes: I want to enable some friends of mine to host their web pages on my woody server. It has Apache LAMP running in great shape and it suits my Web page just fine. The Problem that I have now is, that the apache user is www-data. Well, I guessed I could just change the user permissions on the /var/www/path.to.site directories to the respective user names, but that doesnt do the trick, because then, all write permissions for cgi scripts for these diretories are gone, as they no longer belong to www-data. There's no need to let the users have access to anything under /var/www. Personally, I would let each user use the personal directory feature of Apache. I don't recall the exact directives to enable it (but it's enabled by default, so if you didn't turn it off, it's there). If a client accesses http://your.domain.com/~foobar/index.html;, then Apache will get the file from /home/foobar/public_html/index.html (i.e. everything under the ~foobar URL comes from the public_html subdirectory of the foobar user's home directory. Each user can create a .htaccess file in their public_html directory to override the global settings. Each user can have their own public_access/cgi-bin directory (you may need to enable scripting from this directory either in your global httpd.conf or from that user's .htacces file). Finally, if you don't want the ugly ~foobar in the names, you should be able to use an alias in the global httpd.conf to get rid of it. --- Wade
Re: Default Apache install not fit for multiple domains/users
On Fri, 2003-06-06 at 15:42, Tim Cunningham wrote: Is there some reason why you can't give each user an account and have them put their files in ~/public_html? That would have their page show up at domain.net/~username/. Sorry if you already knew this and I'm misunderstanding the problem. I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. --- Wade