Joshua, Let me pass this pseudo logic by you. * Create a dedicated user (say suapache:suapache/no shell/no homedir). * Add that user to the sudo privileges file (with access the dedicated list of apps they can execute with nopass set and only localhost as access). * Create another instance of Apache running on a different port running with the new user (suapache) on 127.0.0.1. >From reading the sudoers sample page this seems to fit what I want to do. Does this logic seem appropriate? My next question about the Apache instance. I can either do one of two things, create a completely separate instance of apache from source or use the existing runtime with a separate configuration file. I am familiar with the first (as we have run two separate instances before) but I don't have any experience running two instances with distinct configuration files. Which would you suggest? Gary Wayne Smith > -----Original Message----- > From: jslive@xxxxxxxxx [mailto:jslive@xxxxxxxxx] On Behalf Of Joshua Slive > Sent: Tuesday, August 29, 2006 8:51 AM > To: users@xxxxxxxxxxxxxxxx > Subject: Re: [users@httpd] suicidal suexec question. > > Google for sudo, which is the canonical tool for these types of > problems. Suexec will not run stuff as root unless you hack it. > > Running a separate daemon on a different port is a good idea with > sudo, since it will allow you to isolate these requests under a > different account and very-specific permissions. > > Joshua. > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|