Suexec with Apache 1.3.29

Mikkel Christensen mikkel at talkactive.net
Fri May 7 03:44:02 PDT 2004 

On Monday 03 May 2004 08:26, Mikkel Christensen wrote:
> On Friday 30 April 2004 07:58, Mikkel Christensen wrote:
> > On Thursday 29 April 2004 19:54, Mikkel Christensen wrote:
> > > On Thursday 29 April 2004 18:20, Marty Landman wrote:
> > > > At 01:13 PM 4/29/2004, Mikkel Christensen wrote:
> > > > >On Thursday 29 April 2004 14:22, Marty Landman wrote:
> > 
> > Hmm may there is a way to get what I want.
> > If apache's user is add'ed to all the groups that the users are member of this would work.
> > 
> > Eg. user1 is member of the group user1.
> > So is the www-user.
> > 
> > Now setting permissions 644 would give access to everyone.
> > Setting permissions 640 would deny all other users on the server access to the files.
> > Setting permissions 600 would completely deny everyone from reading the files.
> > This is what I wanted from the beginning. Setting www as group owner of the files would be a lot easier in my oppinion than adding the www-user so every user's group.
> > But it will do. Now I'm happy:-)
> > 
> 
> Hmm not that happy after all.
> The concept of making the apache user member of many groupt works fine to begin with.
> But when the number of memberships apache has exceeds a certain number it refuses to start.
> The number of memberships is not specific but lies around 15-25.
> 
> Lines like theese are written multiple times (usually about 10 times) to the apache error log:
> [Mon May  3 10:13:29 2004] [alert] (22)Invalid argument: initgroups: unable to set groups for User www and Group 80
> 
> Then these lines follows:
> [Mon May  3 10:13:29 2004] [notice] Apache/1.3.29 (Unix) PHP/4.3.4 configured -- resuming normal operations
> [Mon May  3 10:13:29 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/local/sbin/suexec)
> [Mon May  3 10:13:29 2004] [notice] Accept mutex: flock (Default: flock)
> [Mon May  3 10:13:29 2004] [alert] Child 51086 returned a Fatal error...
> Apache is exiting!
> 
> My test setup is FreeBSD 5.2.1 and Apache 1.3.29 with suexec.
> I guess this might be an issue for an Apache mailinglist unless initgroups is part of the FreeBSD system. Does anyone know this?
> 

I didn't find a sollution to that specific problem, but I did found a workaround.
Instead all users joins the user nobody's group. Afterwards nobody joing www's group.
www now has access to all users files through nobody if the group flag allows it. And because Apache doesn't have to initialize many users upon start it doesn't shutdown.
Actually this is kind of cheating in my oppinion but it works great!:)
I just wanted to let averybody know in case of somebody is having the same trouble as I did.

My tanks to anyone who participated in this thread:-)

 - Mikkel

More information about the freebsd-questions mailing list