From: George Dinwiddie <gdinwiddieat_private> > I am renting server space on a shared machine which runs my site, and > others, as virtual domains on a single instance of Apache. CGI programs > run under the uid 'nobody', as does the server itself. This means that > if I want to provide write access to a data file, I must allow world > write access to that file. It also means that if my CGI program > creates a data file, that file is owned by 'nobody' and I do not have > full privileges over my own data. Since the box has multiple > legitimate users, all users of the box have just as much access to > my data as I do. I agree that this is a problem. If I were trying to provide a service of this kind I'd want to use something similar to suexec to switch to a different UID for each virtual host; and none of them would be "nobody". Each customer would have 2 accounts too - one used in suexec and one with which to prepare web pages etc. Never having configured a virtual host webserver I can't comment reliably on how hard that would be to do but provided wrapper programs can be told the virtual host involved I think the rest should present no problem to many people on this list. That it would unsettle some ISPs doesn't surprise me. > I've asked the owner of the server to enable the suEXEC feature of > Apache. The response I've gotten is that this is a security > vulnerability. They're entitled to take that view and risk losing your business. Can you interest them in running another apache somewhere just for you ? -- ############################################################## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Fri May 24 2002 - 08:59:33 PDT