Suexec with Apache 1.3.29
MLandman at face2interface.com
Thu Apr 29 11:20:23 PDT 2004
At 01:13 PM 4/29/2004, Mikkel Christensen wrote:
>On Thursday 29 April 2004 14:22, Marty Landman wrote:
> > Why is it strange? The reason I kept trying to install suexec was because
> > until I did, the development environment I set up on my LAN could mirror
> > that on my real sites with the exception that all the files & directories
> > had to be given 777 or equivalent permissions. Otherwise with the user
> > running my cgi's being nobody aka www or httpd files couldn't be written
> > to, created, deleted etc.
>Okay, I can see your point.
Thank you. This is still all very new to me, having just installed my fbsd
box in the fall. Nice to know I've learned a little bit since then.
>Now he has to give the webserver the same rights as everybody else on the
Real new to this as said, but the consistency of the approach seems to be
that Apache itself runs as user nobody. So your argument may have merit but
only if carried over to argue that httpd should run as something greater
than the lowly 'nobody'.
>This is a problem if he stores passwords in a php-script. Apache will
>interpret it and therefore not let anyone se the source while other users
>can read the content as they please.
>This seems to be more unsecure, or am I wrong?
I wouldn't approach it that way. Step back a moment from the problem
Mikkel. Sounds to me like you want a web app that maintains a password file
- which btw I'd never consider embedding inside a webpage or storing
anywhere on a web accessible directory, right? That said, the constraint
that you point out is imposed by suexec is that the id owning that file
must also own all the applications that have any access to that file.
Unless you deem fit to make the file world readable, writeable, or executable.
Looking at it that way one could argue this is the most secure way to
approach it. It's nice seeing someone else struggling with the same things
that have gotten me confused, and continue to be confused about. When I
finally got suexec working for my environment the last issues had to work
through were also issues of permissions and ownership, not questions of
getting the server compiled properly. Guess that's what makes this such a
difficult thing to 'get'. (like email - at the risk of repeating myself).
On the side, this makes me wonder what the philosophy is on Windows servers
where the whole permissions concept is nonexistent afaik.
Marty Landman Face 2 Interface Inc. 845-679-9387
Web Installed Formmailer: http://face2interface.com/Products/Formal.shtml
FormATable DB: http://face2interface.com/Products/FormATable.shtml
Make a Website: http://face2interface.com/Home/Demo.shtml
More information about the freebsd-questions