On Sun, 2 Nov 2003, David Christensen wrote: > [EMAIL PROTECTED] & [EMAIL PROTECTED]: > > I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to > enable user ~/public_html directories, but have two security goals which > I cannot solve simultaneously: > > 1. Apache should run as the user when reading user pages and running > user CGI scripts. > > 2. User home directories should not allow group or world access. >
Neither of these is possible because of the basic limitations of unix security. As you already figured out, you can accomplish part of 1, because suexec can launch cgi scripts as the user. The "reading user pages" part is impossible, however, and any directory serving web pages must be in some way accessible by the web server, so 2 isn't possible either. Why? Well, under unix, each program must run as a user. To make apache more secure, all request processing and serving is done under a non-root userid (see the User and Group directives). Obviously, a non-root userid can't simply switch to some other userid. Even if you were to run apache as root (not a good move!), this still wouldn't work. Each apache process serves many different requests. If the process were to switch to a non-root userid to serve a specific directory, then it couldn't serve requests for any other directory, because there is no way to get the root permissions back to switch to the new user. You could imagine a server that forked a new process to serve each request, which then exited. But you can also imagine that such a server would be dog-slow. Solutions? Well, there have been a couple different projects that use the new threading ability of apache 2 to allow different pools of threads to be kept around to serve requests under different userids. This wouldn't work for dozens or hundreds of different userids, of course. And none of these projects has anything production ready. See the "perchild" mpm, which doesn't work. You could do the same thing by running a number of different instances of apache on different ports with different privileges and using a reverse proxy to choose which one gets the requests. Again, this would be rather resource intensive and complicated. The punch-line: you can't do that. CGI scripts can be launched under different userids, but ordinary pages (including php scripts launched as part of the apache process) must use the apache userid. Hence you need to provide world or apache-group read and search access to all the files you want to serve. (That was probably way more than you wanted to know. I should put that into the FAQ so I don't have to repeat it!) Joshua. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]