Date: Thu, 29 Apr 2004 19:54:04 +0000 From: Mikkel Christensen <mikkel@talkactive.net> To: freebsd-questions@freebsd.org Subject: Re: Suexec with Apache 1.3.29 Message-ID: <200404291954.04559.mikkel@talkactive.net> In-Reply-To: <6.0.0.22.0.20040429140657.11cf1120@pop.face2interface.com> References: <200404262126.36157.mikkel@talkactive.net> <200404291713.13999.mikkel@talkactive.net> <6.0.0.22.0.20040429140657.11cf1120@pop.face2interface.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 29 April 2004 18:20, Marty Landman wrote: > At 01:13 PM 4/29/2004, Mikkel Christensen wrote: > >On Thursday 29 April 2004 14:22, Marty Landman wrote: > Real new to this as said, but the consistency of the approach seems to be > that Apache itself runs as user nobody. So your argument may have merit but > only if carried over to argue that httpd should run as something greater > than the lowly 'nobody'. The user under which Apache runs is compiled into the system (--suexec-caller=www). I think that suexec refuses this because its the apache user and would still do so if apache was running as nobody. Of course I don't know this. It's just a guess based on the things I have experiensed and the option --suexec-caller=www. > > >This is a problem if he stores passwords in a php-script. Apache will > >interpret it and therefore not let anyone se the source while other users > >can read the content as they please. > >This seems to be more unsecure, or am I wrong? > > I wouldn't approach it that way. Step back a moment from the problem > Mikkel. Sounds to me like you want a web app that maintains a password file > - which btw I'd never consider embedding inside a webpage or storing > anywhere on a web accessible directory, right? Let me first point out that I don't intend to store such passwords freely available. But lets face it, if you have many users on your webserver some will do so occasionally (eg. many users take advantage og fora like PHPBB and PHPNuke which stores the database password in cleartext). And when they do you will have to deal with the mess as the administrator. Therefore this should be possible to do safely. > That said, the constraint > that you point out is imposed by suexec is that the id owning that file > must also own all the applications that have any access to that file. > Unless you deem fit to make the file world readable, writeable, or executable. Technically if no other other users tha www itself is member of the www group I find the more sophisticated way of setting permissions you gain would be more important. It is my believe that suexec by being too paranoid removes some great configuration options. Some options that I would personally prefer. But of course this is my oppinion and i'll bet the people who maintain suexec disagree:) > > Looking at it that way one could argue this is the most secure way to > approach it. It's nice seeing someone else struggling with the same things > that have gotten me confused, and continue to be confused about. When I > finally got suexec working for my environment the last issues had to work > through were also issues of permissions and ownership, not questions of > getting the server compiled properly. Guess that's what makes this such a > difficult thing to 'get'. (like email - at the risk of repeating myself). > Also the problem when running a webserver with many users you don't know is to get them to use the right permissions. All this suexec does no good if the users apply chmod 777 (and trust me some do!) to all their files:( (if this can be avoided please let me know) > On the side, this makes me wonder what the philosophy is on Windows servers > where the whole permissions concept is nonexistent afaik. > Actually they do have permissions. Like unix you can decide which users that should have any combination read/write/execute permissions to a certain file. At my work we have several win2003 webservers where the users are restrained entirely to their home directory thus unable to do any filelistings on other user's data if they have set their permissions wrongly. But please don't ask me how this is done, I'm no windows expert:) - Mikkel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404291954.04559.mikkel>