This certainly sounds like a situation for SUEXEC. However, if you need the apache server to assign files to arbitrary user:group then there are two ways that I know of:
1. You could create a SUDO entry which allows apache to use the chown/chgrp command AS root 2. You could create a program to issue the chown/chgrp commands and use the SETUID bit so that it executes as root. In the first case, the SUDO entry should be restricted to your apache ID In the second case, the process is controlled by a program that you control, so you can add any security that you wish. I'd start by having the program verify that it is, indeed, running under the apache userid, whatever that is in your case. On 4 March 2012 21:57, Mark Montague <m...@catseye.org> wrote: > On March 4, 2012 12:33 , Wolfgang Laun <wolfgang.l...@gmail.com> wrote: > >> A CGI script creates a file; it should also change it's "natural" owner >> and group (daemon.daemon) to the one of the (authenticated) requesting >> user. Several users should be able to do that. Having read the Apache 2.4 >> documentation on Suexec I have the impression that this isn't possible at >> all. Is this correct or did I miss something? >> > > Only root can change the owner of a file. So if a CGI needs to change the > owner of a file that it creates, the CGI would have to be run as root (very > dangerous, do not do this) or it would have to use a set-uid helper script > to change the owner. Suexec cannot change the owner of a file created by a > CGI, because it will not know what files the CGI creates. > > I think what you want is to run the CGI as the user who is authenticated. > Then any files created by the CGI will be owned by the user who is > authenticated. Does this sound right? > > For more information, see https://wiki.apache.org/httpd/** > PrivilegeSeparation <https://wiki.apache.org/httpd/PrivilegeSeparation> > > -- > Mark Montague > m...@catseye.org > > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@httpd.**apache.org<users-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Steve Swift http://www.swiftys.org.uk
