Hi everyone,

I am in the process of setting up a webserver for students
of a school in the Netherlands. All of our students
have got an account in a Active Directory which is
reachable from Linux through PAM. One of our goals is to
let the students use PHP scripts without the safe mode
limitation. As this causes some security risks we are forced
to take extra precautions. One of these precautions is that
all published files are only readable by the owner of the file.

This precaution has as side-effect that the suexec module
is required to reach the files of all the user accounts.
As the suexec module alone can give a performance penalty
we also had in mind to enable fastcgi.

The current apache config is this (non-relevant pieces are cut) :

FastCgiWrapper On
AddType application/x-httpd-fastphp .php

UserDir public_html

<Directory /home/*/public_html>
    Action application/x-httpd-fastphp /cgi-bin/php-wrapper
</Directory>

<Directory /var/www/cgi-bin>
    Options +ExecCGI
    SetHandler fastcgi-script
</Directory>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

--

The php-wrapper file is a script which tells fastcgi to launch php :

#!/bin/sh
export PHP_FCGI_CHILDREN=4
export PHP_FCGI_MAX_REQUESTS=5000
exec /usr/php_fcgi/bin/php

--

This wrapper script is owned by the user 'apache'.

With this config I'm able to execute php scripts from a userdir.
The only problem is that the wrong permissions are assumed by suexec.
With a small php script which returns the current uid I see that
the php script gets run as user 'apache' instead of the owner of
the php script. I guess this is because of the fact that suexec
only looks at the location of the wrapper script. 

So I came up with the idea to create a wrapper script for each
user account (with the owner of the script set to the relevant user)
and put it in each home directory. However, when I change the 
Action-line in the config shown above to something like
Action application/x-httpd-fastphp /*/cgi-bin/php-wrapper
then apache doesn't know how to replace the * with the
username belonging to the asked file.

Does anybody have a idea how I can get this construction working ?

Thanks in advance for your help,

Regards,

Erik van Pienbroek



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to