Received: (qmail 22529 invoked by uid 2012); 18 May 1999 03:41:33 -0000 Message-Id: <19990518034133.22528.qmail@hyperreal.org> Date: 18 May 1999 03:41:33 -0000 From: Brendan Byrd Reply-To: sineswiper@resonatorsoft.com To: apbugs@hyperreal.org Subject: suEXEC only works on CGIs/SSIs (not very useful for permission locking) X-Send-Pr-Version: 3.2 >Number: 4435 >Category: suexec >Synopsis: suEXEC only works on CGIs/SSIs (not very useful for permission locking) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: apache >Arrival-Date: Mon May 17 20:50:01 PDT 1999 >Closed-Date: Wed Jan 12 04:08:15 PST 2000 >Last-Modified: Wed Jan 12 04:08:15 PST 2000 >Originator: sineswiper@resonatorsoft.com >Release: 1.3.6 >Organization: >Environment: Linux 2.2.7 i686 >Description: I'm not sure if this is a config problem or something you don't have (the docs seem to indict the latter), but I'd like for suEXEC to work for EVERY file, not just CGI/SSIs. Since I'm dealing with multiple web accounts on a server, I'd like to lock down the /home/username directory to 700, so that only the user and the web server can access that directory. Unforunately, the "chmod 700" setting locks off the web server in its current state. I've seen done on other systems (any of OLM.net's boxes, for example), but I don't know if it's a patch or what. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: Category-Changed-From-To: general-suexec Category-Changed-By: coar Category-Changed-When: Tue May 18 07:36:13 PDT 1999 State-Changed-From-To: open-closed State-Changed-By: coar State-Changed-When: Wed Jan 12 04:08:14 PST 2000 State-Changed-Why: Noteh the 'exec' part of suexec's name. It functions with Apache by changing the UID/GID of a process to handle a script, after which the process dies. That would not be terribly efficient if done for every single request, and is contrary to suexec's intended purpose in any event. I'm afraid that suexec isn't the solution for your problem; you're going to have to solve it using some OS-level choice of permissions. But thanks for asking and for using Apache! >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]