Hello, We're a small university (think 3000 users) with an NFS/Kerberos/LDAP network environment. I'm currently preparing for a much needed complete overhaul of our main webserver, which hosts the user's webpages using a standard userdir configuration (the webserver has all home directories mounted). The old configuration ran Apache as the www-data user for all purposes, but this simply isn't secure now when we have users running WordPress etc. out of their account, so that Apache (and thus everyone else) must be able to read their MySQL credentials. I would thus like to use suexec in the new configuration so that users can own and secure their files. Here's the trouble: From the documentation I have read (and it is quite possible I'm missing something), suexec can only call binaries within the userdir, not somewhere on the rest of the system. This makes PHP difficult since php-cgi must be called. Everywhere I have looked this problem has been solved by placing a shell script in the user's public_html. Apache runs the script, and the script runs php-cgi. I don't like this solution, though, because it requires that all users have a "magic shell script" in their public_html. Many of our users (as I think anyone at a university has experienced) have little to no understanding of a linux environment and won't understand the script, thus either creating it incorrectly or (if we place it automatically) removing it accidentally. Sure, we could write tools to correct this automatically, but it simply seems like there must be a better way to do this. Is there not any way that /usr/bin/php-cgi can be added to some sort of white list that suexec is allowed to call? I think one potential solution is to run suphp alongside suexec, but it seems like it should be simple to do all this with suexec and fcgid as I plan to use for python/perl. What would you recommend as the best practice for this kind of setup? Thanks! -- Jesse B. Crawford (jeanluc) Systems Programmer Tech Computer Center New Mexico Inst. of Mining & Tech. jeanluc@xxxxxxx // http://nmt.edu/~jeanluc --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|