Date: Thu, 15 Nov 2001 12:06:29 +0000 (GMT) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Dmitry Mottl <dima@sinp.msu.ru> Cc: freebsd-questions <freebsd-questions@FreeBSD.org>, freebsd-security <freebsd-security@FreeBSD.org> Subject: Re: Apache question Message-ID: <Pine.GSO.4.31.0111151203320.26038-100000@mail.ilrt.bris.ac.uk> In-Reply-To: <3BF3A166.2090009@sinp.msu.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Nov 2001, Dmitry Mottl wrote: > Hi, All > > I have to configure www virtual hosts under Apache > and I need that all virtual hosts have NO access (through cgi execution) to each > other. > > Is it good to start up proxy on 80 and > about 100-300 backend httpd (each under it's own uid and gid), > which will be paged in (from swap) if connection is requested. > > Is there a better solution? > > It seems that suexec apache mechanism will no help, > cause I have to give hosters GID to access there files, > so I can't specify properly permissions due to UNIX file security (uuugggooo). > In this case I need to choose if GID=wwwguest or GID=hoster > > May be to set up a patch to use UFS extended attributes? (www.trustedbsd.org) > I'm using FreeBSD 4.4-RELEASE This is an interesting problem, certainly; as you point out, the httpd process owner/group needs to be able to view files in all virtual hosts; CGI scripts in each must not. I'd say you should be able to do this with a combination of suExec (with a different uid/gid for each virtual host) - although it might need tinkering with to get the directory restrictions it needs correct - and ACLs on the top of each virtual host's cgi-bin. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk and Nostradamus never dreamed of the Church of the Accellerated Worm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.31.0111151203320.26038-100000>