Suexec with Apache 1.3.29
Marty Landman
MLandman at face2interface.com
Thu Apr 29 07:22:36 PDT 2004
At 10:06 AM 4/29/2004, Mikkel Christensen wrote:
>I have figured it out now. I would call it quite a wierd rule!
>
>You are not allowed to run suexec in any combination og users you like.
That's right, I remember that much from the tutorials I'd read about it.
>So, apperently you are only allowed to run suexec as a different user and
>group as long as neither of them is the apache user.
And so long as the permissions are less than that of root iirc.
>Otherwise you can do as you like.
IOW suexec should run only as a 'typical' user, which I believe is the
point. I think of it in terms of web customers who have high permissions
primarily for their own space, and limited to no permissions for the rest
of the server's name space.
>This seems extremely strange to me.
Why is it strange? The reason I kept trying to install suexec was because
until I did, the development environment I set up on my LAN could mirror
that on my real sites with the exception that all the files & directories
had to be given 777 or equivalent permissions. Otherwise with the user
running my cgi's being nobody aka www or httpd files couldn't be written
to, created, deleted etc.. With the types of web apps I write this was
becoming not only a royal pain, also a constant reminder to me that my
local environment was as insecure as it could be; of course it's strictly
local so not a problem.
>But following theese rules it works as it should.
With suexec running, a cgi gets set to 744 or 700 instead of 755; a data
file e.g. log or count file gets 644 or 600 instead of 666. It's amazing to
me that more vandalism and cross site scripting doesn't occur given the
servers that still don't run suexec, or the users that aren't hip to using
it properly for setting permissions when the server does support it.
Marty
Marty Landman Face 2 Interface Inc. 845-679-9387
Web Installed Formmailer: http://face2interface.com/Products/Formal.shtml
FormATable DB: http://face2interface.com/Products/FormATable.shtml
Make a Website: http://face2interface.com/Home/Demo.shtml
More information about the freebsd-questions
mailing list