Re: [us...@httpd] suexec + file upload == permission denied for non php/cgi scripts

2010-11-23 Thread Igor Galić
> I know it sounds crazy, but have you considered doing a chmod to the > apache user? And to have a umask of 027? s/chmod/chgrp/,s/user/group/ > That would give you a permission model of: > > -rw-r- 1 photos apache 101984 2010-11-23 13:14 4.jpg -- Igor Galić Tel: +43 (0) 664 886 22 88

Re: [us...@httpd] suexec + file upload == permission denied for non php/cgi scripts

2010-11-23 Thread Igor Galić
- "Lowlight" wrote: > Ok, so I have suexec working on my server and it's successfully > serving > pages as user's. The problem is that whenever a user uploads a file > via > a php or cgi script, the file gets 700 permissions (WHICH IS WHAT I > WANT), but when the webserver goes to serve

[us...@httpd] suexec + file upload == permission denied for non php/cgi scripts

2010-11-23 Thread Lowlight
Ok, so I have suexec working on my server and it's successfully serving pages as user's. The problem is that whenever a user uploads a file via a php or cgi script, the file gets 700 permissions (WHICH IS WHAT I WANT), but when the webserver goes to serve that file, it does NOT change to the s

[us...@httpd] suexec on CentOS - DOC_ROOT & suexec -V issue

2010-09-03 Thread Timothy Omer
Apache/2.2.3 CentOS release 5.4 (Final) Hello, I am in the process of setting up Backuppc but hit an issue that I believe is caused by suexec. Full details here if your interested: http://www.linuxquestions.org/questions/linux-server-73/suexec-backuppc-fun-829713/ My questions about suexec... >

Re: [us...@httpd] suexec for another user

2010-08-12 Thread David Ricar
Phil Howard wrote: On Thu, Aug 12, 2010 at 13:02, David Ricar wrote: [...] Sorry, I'm still not understanding what you are doing. I didn't understand why you need two users per each site. J. Greenlees wrote: I believe the standard method of doing this to completely lock the server from allo

Re: [us...@httpd] suexec for another user

2010-08-12 Thread J. Greenlees
David Ricar wrote: Hello, ~snip~ So my concept is based on two basic users for every website - one for ftp and another for suexec run. Homedir of both is one level above any website data and it is owned by root, ftp is chrooted there. If suexec would be able to just check if code is in users

Re: [us...@httpd] suexec for another user

2010-08-12 Thread Phil Howard
On Thu, Aug 12, 2010 at 13:02, David Ricar wrote: [...] Sorry, I'm still not understanding what you are doing. I didn't understand why you need two users per each site. -- sHiFt HaPpEnS! - The official User-To-User support f

Re: [us...@httpd] suexec for another user

2010-08-12 Thread David Ricar
Phil Howard wrote: I don't understand what it is you are doing, so I cannot comment on whether it is common or not, or even secure. A test to detect if others can write a file that would be executed is a critical test on a multi-user machine. Similarly, testing if all parent directories can be

Re: [us...@httpd] suexec for another user

2010-08-12 Thread Phil Howard
On Thu, Aug 12, 2010 at 09:49, David Ricar wrote: > I need just one thing: replace others writable tests by is_in_homedir > test - suexec does not solve, who could rewrite the code, but where the > code is located. My patch is rather naive and dirty proof of concept > right now, I will polish it

Re: [us...@httpd] suexec for another user

2010-08-12 Thread David Ricar
Phil Howard wrote: By suexec wrapper, I mean a program you write which will be placed where Apache expects to find suexec. The real suexec will be moved to somewhere else (maybe "real-suexec" in the same directory). Your program will know where it is (and probably hard code that). Your program

Re: [us...@httpd] suexec for another user

2010-08-12 Thread Phil Howard
On Wed, Aug 11, 2010 at 18:24, David Ricar wrote: > Phil Howard wrote: >> >> For maintenance, it might be easier for you to make an suexec wrapper. >>  Run your wrapper to do custom checks and if it decides to go on, it >> runs suexec.  That way your maintenance is for your program, only, and >> y

Re: [us...@httpd] suexec for another user

2010-08-11 Thread David Ricar
Phil Howard wrote: For maintenance, it might be easier for you to make an suexec wrapper. Run your wrapper to do custom checks and if it decides to go on, it runs suexec. That way your maintenance is for your program, only, and you have to track a lot fewer changes to Apache code (basically jus

Re: [us...@httpd] suexec for another user

2010-08-11 Thread David Ricar
Jefferson Ogata wrote: On 2010-08-11 13:23, David Ricar wrote: Am I missing an obvious solution that is possible without the patch or is my view too paranoid? Mount all your content read-only. Sadly most of the sites requires some places to upload images and so on, so this is not applicable

Re: [us...@httpd] suexec for another user

2010-08-11 Thread Phil Howard
On Wed, Aug 11, 2010 at 09:23, David Ricar wrote: > Hello, I don't think I see anything you are trying to accomplish different than an ordinary multiuser server. You should be able to configure where CGI can be run from to a narrow space. I assume FTP is for the site owner to upload, including

Re: [us...@httpd] suexec for another user

2010-08-11 Thread Jefferson Ogata
On 2010-08-11 13:23, David Ricar wrote: > Am I missing an obvious solution that is possible without the patch or > is my view too paranoid? Mount all your content read-only. - The official User-To-User support forum of the Apache

[us...@httpd] suexec for another user

2010-08-11 Thread David Ricar
Hello, for quite some time I am digging into webserver security and sadly, I found basicaly two bad choices for multisite ultiuser server. I found some disscussions about the subject, but it seems that I am still missing something. 1) Standard way of usage with different ftp users and a singl

[us...@httpd] suEXEC documentation

2010-04-13 Thread Stian Brattland
Dear all, I have justed startet to experiment with suEXEC and Apache. I've successfully configured a web server with the suEXEC feature, and everything seems to work fine. However, there are a couple of things in the documentation which i am a little uncertain about. I am therefore hoping that

Re: [us...@httpd] SuExec

2010-02-04 Thread Nilesh Govindarajan
Please ignore my previous message. I was going nuts due to this and I think I didn't see the "FOO" in elinks. Its working properly now. -- Nilesh Govindarajan Site & Server Adminstrator www.itech7.com - The official User-To-Us

Re: [us...@httpd] SuExec

2010-02-04 Thread Nilesh Govindarajan
On 02/03/2010 09:55 PM, dinar qorbanof wrote: i think you can do what you want. create several wrapper "php-cgi" scripts each in its own directory and for all of them it and that directory of it should be with both user and group = user of it (and wrapper script should be executable). drupal php

Re: [us...@httpd] SuExec

2010-02-03 Thread Jonathan Zuckerman
On Wed, Feb 3, 2010 at 10:03 AM, Thomas Antony wrote: > > > >> Now I have a common drupal codebase located at /srv/htdocs/drupal >> >> I am using this kind of setup - http://drupal.org/node/124268 >> >> Only difference being all user directories are at /srv/htdocs as suexec >> docroot is /srv. >>

Re: [us...@httpd] SuExec

2010-02-03 Thread Thomas Antony
Now I have a common drupal codebase located at /srv/htdocs/drupal I am using this kind of setup - http://drupal.org/node/124268 Only difference being all user directories are at /srv/htdocs as suexec docroot is /srv. Now the problem is FastCGI. FastCGISuexec has been configured. at /srv/

Re: [us...@httpd] SuExec

2010-02-03 Thread dinar qorbanof
i think you can do what you want. create several wrapper "php-cgi" scripts each in its own directory and for all of them it and that directory of it should be with both user and group = user of it (and wrapper script should be executable). drupal php files can be owned by any user and group. -

Re: [us...@httpd] SuExec

2010-02-03 Thread Nilesh Govindarajan
Okay, I have now a different setup. After a lot of researching on Google, I concluded that it is not possible to do what I wanted. Now I have a common drupal codebase located at /srv/htdocs/drupal I am using this kind of setup - http://drupal.org/node/124268 Only difference being all user dire

Re: [us...@httpd] SuExec

2010-02-03 Thread Nilesh Govindarajan
On 02/03/2010 01:09 PM, Thomas Antony wrote: On 02/03/2010 12:11 PM, Gary Smith wrote: They should not be able to use the default site's /files directory but /sites//files Any ideas ? According to suExec docs, target file must be owned by the user and group specified in SuExecUserGroup direc

Re: [us...@httpd] SuExec

2010-02-02 Thread Thomas Antony
On 02/03/2010 12:11 PM, Gary Smith wrote: They should not be able to use the default site's /files directory but /sites//files Any ideas ? According to suExec docs, target file must be owned by the user and group specified in SuExecUserGroup directive. But this is not possible here. /srv/h

Re: [us...@httpd] SuExec

2010-02-02 Thread Nilesh Govindarajan
On 02/03/2010 12:11 PM, Gary Smith wrote: They should not be able to use the default site's /files directory but /sites//files Any ideas ? According to suExec docs, target file must be owned by the user and group specified in SuExecUserGroup directive. But this is not possible here. /srv/htdoc

RE: [us...@httpd] SuExec

2010-02-02 Thread Gary Smith
> They should not be able to use the default site's /files directory but > /sites//files > > Any ideas ? > > According to suExec docs, target file must be owned by the user and > group specified in SuExecUserGroup directive. But this is not possible here. > > /srv/htdocs/main (drupal codebase) i

[us...@httpd] SuExec

2010-02-02 Thread Nilesh Govindarajan
I am using drupal to configure a multi-site environment. The thing is the codebase is same (that's why I am using drupal) but different sites have to be configured on it. I want to run different sites on different users because the users should not exceed their file size quota. Drupal codebas

Re: [us...@httpd] suexec binary installs in wrong path

2009-10-31 Thread Ro Achterberg
At 12:40 31-10-2009, Ro Achterberg wrote: Hi, I'm in the midst of building my chrooted Apache 2.2.14 + suexec + mod_fastcgi + PHP installation, but the httpd --with-suexec-bin configure directive doesn't seem to be working properly. Instead of installing to /chroot/apache2/usr/sbin/suexec, wh

[us...@httpd] suexec binary installs in wrong path

2009-10-31 Thread Ro Achterberg
Hi, I'm in the midst of building my chrooted Apache 2.2.14 + suexec + mod_fastcgi + PHP installation, but the httpd --with-suexec-bin configure directive doesn't seem to be working properly. Instead of installing to /chroot/apache2/usr/sbin/suexec, where I want it to live, it in fact installs

[us...@httpd] suexec not activating

2009-04-15 Thread Ann Cantelow
Greetings all. I'm trying to enable suexec with a new apache2 installation. When I compile and install, I don't get an enabled message with httpd -l: Output of httpd -l -- Compiled in modules: core.c mod_authn_file.c mod_authn_default.c mod_authz_host.c mod_authz_gr

Re: [us...@httpd] suexec doesn't see TMPDIR variable

2009-02-13 Thread Matus UHLAR - fantomas
Hello, On 07.08.08 15:04, Matus UHLAR - fantomas wrote: > I configured my vhost to have TMPDIR variable set to particular directory. > PHP scripts see this variable w/o problem, but not CGIs. > > I'm running suexec, and have patched it (yes, I know the risks) to pass this > variable, but even whe