Hello Marc, thanks for the tip :)After giving it some more thinking, I decided to split my webspace into 2 different lvm partitions, one being mounted read-only and one being mounted read-write.
This way I can run my scripts by a non-apache user, and still ensure they cannot be modified by the user running them.
Regards, Christian----- Original Message ----- From: "Marc Bentje" <noreply@xxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx> Sent: Thursday, May 05, 2005 6:58 AM Subject: Re: [users@httpd] Securing cgi (suexec or another solution?)
Hello Christian, therefore i search a special version of chroot, searching a while, i find some mods that don't fit my needs but maybe yours try cgiwrap type it in sourceforge.net ... there are only two project for choice cheers marc Am Don, 2005-05-05 um 01.27 schrieb Christian Ehlers:Hello, I have a question about securing my cgi scripts with suexec. I have successfully setup my apache2 (V.: 2.0.52) with suexec. I am trying to accomplish the following goals: The cgi script should NOT: run as the apache user. be able to write to itself. be able to create files within itʼs directory. be able to write to other cgi scripts in the same directory. Unfortunately, suexec seems to require the directory and the cgi to be executed to be belonging to the user/group that executes it. Is there any way to have suexec not check if the directory/program belongs to them? Iʼd prefer to have my script owned by root and running under a normal user that is not the apache user. Is there any way to accomplish this with either suexec or another solution? Thanks for any help. Regards, Chris--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx