Virtual hosting user may want to write to their directories, I think.
Recently I stumbled with making up a relatively secure Apache virtual
hosting installation. This is my solution to this moment:
1) users are Unix users at my server, they have FTP locked up in their
home directories (ProFTPd has this option)
2) Apache httpd service runs with apache uid/gid. apache is member of
each user's personal group, so the website is functioning
3) for scripts like PHP to write in user directories, I use suphp module
(
www.suphp.org) that runs php scripts with their owner's rights. So even
if users know about other logins, they cannot just
fopen("/home/otheruser/index.php", "r") to read something, because
their
script doesn't have the right.
4) for CGI scripts (Perl and other stuff), one can use suexec (one of my
recent topics here), but I don't have CGI that write in directories, so
I don't care.
If anyone has a better solution, please write. I would be glad to know.
Timothy
Harry Hoffman wrote:
why does apache need to write to the vhost dirs?
Eric Wagar wrote:
> I have an Apache web server with a few virtual hosts. The ftp is
> handled by proftpd, and I have multiple users defined. These users
> have their own uid and gid. The problem comes when Apache is uid
> apache and need to write to the said directory.
>
> I am wondering what other people have done to deal with this. Do
> people just set all the ftp users uid/gid to the same as the Apache
> uid/gid on the system? Obviously this would be an ok solution
> because apache uid/gid != root.
>
> What are the other ways you guys have dealth with this?
>
> Thanks
> eric
>