Suexec with Apache 1.3.29

Marty Landman MLandman at face2interface.com
Thu Apr 29 11:20:23 PDT 2004 

At 01:13 PM 4/29/2004, Mikkel Christensen wrote:
>On Thursday 29 April 2004 14:22, Marty Landman wrote:
> >
> > Why is it strange? The reason I kept trying to install suexec was because
> > until I did, the development environment I set up on my LAN could mirror
> > that on my real sites with the exception that all the files & directories
> > had to be given 777 or equivalent permissions. Otherwise with the user
> > running my cgi's being nobody aka www or httpd files couldn't be written
> > to, created, deleted etc.
>
>Okay, I can see your point.

Thank you. This is still all very new to me, having just installed my fbsd 
box in the fall. Nice to know I've learned a little bit since then.

>Now he has to give the webserver the same rights as everybody else on the 
>server.

Real new to this as said, but the consistency of the approach seems to be 
that Apache itself runs as user nobody. So your argument may have merit but 
only if carried over to argue that httpd should run as something greater 
than the lowly 'nobody'.

>This is a problem if he stores passwords in a php-script. Apache will 
>interpret it and therefore not let anyone se the source while other users 
>can read the content as they please.
>This seems to be more unsecure, or am I wrong?

I wouldn't approach it that way. Step back a moment from the problem 
Mikkel. Sounds to me like you want a web app that maintains a password file 
- which btw I'd never consider embedding inside a webpage or storing 
anywhere on a web accessible directory, right? That said, the constraint 
that you point out is imposed by suexec is that the id owning that file 
must also own all the applications that have any access to that file. 
Unless you deem fit to make the file world readable, writeable, or executable.

Looking at it that way one could argue this is the most secure way to 
approach it. It's nice seeing someone else struggling with the same things 
that have gotten me confused, and continue to be confused about. When I 
finally got suexec working for my environment the last issues had to work 
through were also issues of permissions and ownership, not questions of 
getting the server compiled properly. Guess that's what makes this such a 
difficult thing to 'get'. (like email - at the risk of repeating myself).

On the side, this makes me wonder what the philosophy is on Windows servers 
where the whole permissions concept is nonexistent afaik.

Marty

Marty Landman   Face 2 Interface Inc.   845-679-9387
Web Installed Formmailer: http://face2interface.com/Products/Formal.shtml
FormATable  DB: http://face2interface.com/Products/FormATable.shtml
Make a Website: http://face2interface.com/Home/Demo.shtml

More information about the freebsd-questions mailing list