apache + suexec

Hiten Pandya hitmaster2k at yahoo.com
Wed Nov 28 13:03:33 GMT 2001

> I've noticed that the apache port has the
> following
> > lines in the Makefile:
> > 
> >                                        
> > --suexec-docroot=${PREFIX}/www/data
> >                                         ...
> > 
> > The Makefile doesn't contain a make option to
> > include --enable-suexec
> > though.
> > Does this mean in order to compile in suexec from
> > the port I have to edit
> > the Makefile to support this, OR does he want us
> to
> > "make
> > CONFIGURE_ARGS=--enable-suexec".. OR just not use
> > suexec at all.
> > 
> > What I'd really like to do is set up a website
> > hosting machine, but could
> > really do without other users sniffing around the
> > whole filesystem and other
> > users home directories with things like PHP and
> > Perl. Has anyone got another
> > method of doing this without suEXEC support in
> > apache?
> > 
> > I figured that since apache runs as user/group:
> > nobody/nogroup, you need to
> > make the users home directory and html files
> > readable to everyone, which
> > they may not like, especially if they have their
> > MySQL password in a PHP
> > file somewhere. But using suEXEC it force apache
> to
> > use the users UID/GID,
> > so therefore removing the need to make users home
> > directories etc etc
> > readable to everyone.
> > 
> > Does this sound reasonable or am I pulling it out
> my
> > behind? :)
> >  Thanks in advance,
> >   Ed
 if you are building apache from a port, than yes..
 can either edit the makefile, or supply this to it
 an argument...
 #make install CONFIGURE_ARGS+="--enable-suexec"
 What this will do is, rather than editing the
 makefile, it will append the above option with the
 CONFIGURE_ARGS variable with all the other ones in
 I am not really sure about how to do the hosting
 things.. but.. this might help...
 ...If you are planning to provide near to secure
 mechanism (which i know of)... is to apply the
 security tweaks provided in the handbook (which
 apply).. and provide a web or ftp interface to
management of their files such as uploading,
 downloading, etcetra...
 ...And, it would be even secure if you ran Apache
 as user nobody/nogroup... cause everything running
 with it will be nobody/nogroup, so what i suggest is
 make a user called "www" for your apache, and
 user for you Database Server(s).
 ...Talking about roaming around filesystem, there is
 mechanism ... i personally have never used it...
 allows you to protect directories from bein opened,
 think it is by changing the directory modes
 ...This should provide enough protection to user's
 directories... and overall security....

 Hiten Pandya
 <hitmaster2k at yahoo.com>
 MOTD: I just like _pumping_ the daylights out of a

Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.

More information about the Ukfreebsd mailing list