On 7/28/06, matthew.fisch@xxxxxxxxx <matthew.fisch@xxxxxxxxx> wrote:
Thanks for the attention Joshua... Yes Ive read the other discussions (I think). I guess I assumed right then, Im stuck without changes to the source code? suexec cant work with mod_vhost_alias?
Correct.
Regarding the UID mapping, all it would have to do would be suexec as the owner of the file. I wonder if that would really be insecure or inflexible afterall. Are users able to chown files to other users?
On some systems, yes, people can "give away" files. Even on systems where they can't, this would be a bad idea since people could do malicious things to other people's accounts using their own binaries. The more-secure solution that I was thinking of was simply hard-coding a knowledge of the VirtualDocumentRoot into suexec so that cgi's within a particular vhost were run under a particular userid. As far as getting such a solution into the "mainline" apache httpd, I guess it could be possible using a VirtualUserGroup directive, or something of the sort. I'd have to think more about the security implications. Hard-coding it into suexec would actually be more secure, but you need to be very careful with any modification to suexec. Joshua. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|