From owner-freebsd-questions@FreeBSD.ORG Thu Apr 29 11:20:23 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B33416A4CE for ; Thu, 29 Apr 2004 11:20:23 -0700 (PDT) Received: from www6.web2010.com (www6.web2010.com [216.157.5.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFDB743D1D for ; Thu, 29 Apr 2004 11:20:20 -0700 (PDT) (envelope-from MLandman@face2interface.com) Received: from delliver.face2interface.com (dialup-wash-129-203.thebiz.net [64.30.129.203] (may be forged)) by www6.web2010.com (8.12.10/8.9.0) with ESMTP id i3TIK7oU023134; Thu, 29 Apr 2004 14:20:08 -0400 (EDT) Message-Id: <6.0.0.22.0.20040429140657.11cf1120@pop.face2interface.com> X-Sender: face@pop.face2interface.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 29 Apr 2004 14:20:14 -0400 To: Mikkel Christensen , freebsd-questions@freebsd.org From: Marty Landman In-Reply-To: <200404291713.13999.mikkel@talkactive.net> References: <200404262126.36157.mikkel@talkactive.net> <200404291406.58150.mikkel@talkactive.net> <6.0.0.22.0.20040429101444.0e68a6a0@pop.face2interface.com> <200404291713.13999.mikkel@talkactive.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: Suexec with Apache 1.3.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 18:20:23 -0000 At 01:13 PM 4/29/2004, Mikkel Christensen wrote: >On Thursday 29 April 2004 14:22, Marty Landman wrote: > > > > Why is it strange? The reason I kept trying to install suexec was because > > until I did, the development environment I set up on my LAN could mirror > > that on my real sites with the exception that all the files & directories > > had to be given 777 or equivalent permissions. Otherwise with the user > > running my cgi's being nobody aka www or httpd files couldn't be written > > to, created, deleted etc. > >Okay, I can see your point. Thank you. This is still all very new to me, having just installed my fbsd box in the fall. Nice to know I've learned a little bit since then. >Now he has to give the webserver the same rights as everybody else on the >server. Real new to this as said, but the consistency of the approach seems to be that Apache itself runs as user nobody. So your argument may have merit but only if carried over to argue that httpd should run as something greater than the lowly 'nobody'. >This is a problem if he stores passwords in a php-script. Apache will >interpret it and therefore not let anyone se the source while other users >can read the content as they please. >This seems to be more unsecure, or am I wrong? I wouldn't approach it that way. Step back a moment from the problem Mikkel. Sounds to me like you want a web app that maintains a password file - which btw I'd never consider embedding inside a webpage or storing anywhere on a web accessible directory, right? That said, the constraint that you point out is imposed by suexec is that the id owning that file must also own all the applications that have any access to that file. Unless you deem fit to make the file world readable, writeable, or executable. Looking at it that way one could argue this is the most secure way to approach it. It's nice seeing someone else struggling with the same things that have gotten me confused, and continue to be confused about. When I finally got suexec working for my environment the last issues had to work through were also issues of permissions and ownership, not questions of getting the server compiled properly. Guess that's what makes this such a difficult thing to 'get'. (like email - at the risk of repeating myself). On the side, this makes me wonder what the philosophy is on Windows servers where the whole permissions concept is nonexistent afaik. Marty Marty Landman Face 2 Interface Inc. 845-679-9387 Web Installed Formmailer: http://face2interface.com/Products/Formal.shtml FormATable DB: http://face2interface.com/Products/FormATable.shtml Make a Website: http://face2interface.com/Home/Demo.shtml