apache + suexec

Hiten Pandya hitmaster2k at yahoo.com
Wed Nov 28 13:03:33 GMT 2001


> I've noticed that the apache port has the
> following
> > lines in the Makefile:
> > 
> > CONFIGURE_ARGS+= ...
> >                                        
> > --suexec-docroot=${PREFIX}/www/data
> >                                         ...
> > 
> > The Makefile doesn't contain a make option to
> > include --enable-suexec
> > though.
> > Does this mean in order to compile in suexec from
> > the port I have to edit
> > the Makefile to support this, OR does he want us
> to
> > "make
> > CONFIGURE_ARGS=--enable-suexec".. OR just not use
> > suexec at all.
> > 
> > What I'd really like to do is set up a website
> > hosting machine, but could
> > really do without other users sniffing around the
> > whole filesystem and other
> > users home directories with things like PHP and
> > Perl. Has anyone got another
> > method of doing this without suEXEC support in
> > apache?
> > 
> > I figured that since apache runs as user/group:
> > nobody/nogroup, you need to
> > make the users home directory and html files
> > readable to everyone, which
> > they may not like, especially if they have their
> > MySQL password in a PHP
> > file somewhere. But using suEXEC it force apache
> to
> > use the users UID/GID,
> > so therefore removing the need to make users home
> > directories etc etc
> > readable to everyone.
> > 
> > Does this sound reasonable or am I pulling it out
> my
> > behind? :)
> >  Thanks in advance,
> >   Ed
 
 hi..
 if you are building apache from a port, than yes..
 you
 can either edit the makefile, or supply this to it
 as
 an argument...
 
 #make install CONFIGURE_ARGS+="--enable-suexec"
 
 What this will do is, rather than editing the
 makefile, it will append the above option with the
 CONFIGURE_ARGS variable with all the other ones in
 the
 Makefile...
 
 I am not really sure about how to do the hosting
 things.. but.. this might help...
 
 ...If you are planning to provide near to secure
 mechanism (which i know of)... is to apply the
 security tweaks provided in the handbook (which
 apply).. and provide a web or ftp interface to
management of their files such as uploading,
 downloading, etcetra...
 
 ...And, it would be even secure if you ran Apache
 not
 as user nobody/nogroup... cause everything running
 with it will be nobody/nogroup, so what i suggest is
 make a user called "www" for your apache, and
 seperate
 user for you Database Server(s).
 
 ...Talking about roaming around filesystem, there is
 a
 mechanism ... i personally have never used it...
 which
 allows you to protect directories from bein opened,
 i
 think it is by changing the directory modes
 (chmod)...
 
 ...This should provide enough protection to user's
 directories... and overall security....

 Thanks...
 
=====
 regards,
 Hiten Pandya
 <hitmaster2k at yahoo.com>
 <http://geocities.com/hitmaster2k>
 
 MOTD: I just like _pumping_ the daylights out of a
 PENGUIN!!!


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1




More information about the Ukfreebsd mailing list