[users@httpd] suexec in a mod_rewrite setup

[Gary Wilson <gw...@plus.net>]

Greetings list members!

I hope you can help me with understanding more about what can be done 
with suexec in a rewtirren world.  Let me explain - I have a platform 
geared to mass hosting for CGI scripts.  I do no use virtualhosts, and 
instead use the rewrite engine and map files to do on the fly location 
of customer sites (all sites have the form cgi.USER.domain), so with 
map lookups on the incoming request, cgi.user1.domain automatically 
gets mapped to /files/www/home1/user1/htdocs (for example).  This 
has worked fine for years.

However, we now wish to  tighten up on security and move away from all 
users belonging to the same group (which the web server also belongs 
to), and we would like all user's (perl/php/shell etc) scripts to be
executed as themselves so user data is better protected - for this I'd
like to use suexec, but the problem I have is that suexec relies on the 
Suexecusergroup directive within a virtual host to work (we don't use 
userdirs).

Someone suggested to me that this isn't a problem because you can do
variable substitution to directives in the configuration file, so 
you can essentially do: Suexecusergroup $user $group instead.  Whilst 
I have never heard of this functionality, nor seen it, I decided to be 
open-minded (he cited someone else has done this elsewhere), and did 
some research, but I can't find any references to these techniques.

Have I been given a bum steer here?

If I have, what suggestions do the group have to allow mass hosting
using suexec (other than having to maintain many thousands of 
virtualhost entries in httpd.conf)?  If suexec isn't practical, 
what other options are there to allow me to have users scripts run 
as themselves?

Thank you for your time and consideration :)

Gary Wilson



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suexec in a mod_rewrite setup

[Noah <si...@onastick.net>]

On Fri, Mar 11, 2005 at 08:54:43AM -0500, Joshua Slive wrote:
> On Fri, 11 Mar 2005 09:27:15 +0000, Gary Wilson <gw...@plus.net> wrote:
> 
> > Someone suggested to me that this isn't a problem because you can do
> > variable substitution to directives in the configuration file, 
> 
> > Have I been given a bum steer here?
> 
> Yes.  That's complete garbage.

No argument, but for the record, the person who was pointing you towards
the variable substitution functionality was likely thinking of mod_macro
(useful in many situations, just not this one):
http://www.coelho.net/mod_macro/

--n

-- 
<huey> dd of=/dev/fd0 if=/dev/flippy bs=1024
<huey> ^^^ Making Flippy Floppy


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suexec in a mod_rewrite setup

[Joshua Slive <js...@gmail.com>]

On Fri, 11 Mar 2005 09:27:15 +0000, Gary Wilson <gw...@plus.net> wrote:

> However, we now wish to  tighten up on security and move away from all
> users belonging to the same group (which the web server also belongs
> to), and we would like all user's (perl/php/shell etc) scripts to be
> executed as themselves so user data is better protected - for this I'd
> like to use suexec, but the problem I have is that suexec relies on the
> Suexecusergroup directive within a virtual host to work (we don't use
> userdirs).
> 
> Someone suggested to me that this isn't a problem because you can do
> variable substitution to directives in the configuration file, 

> Have I been given a bum steer here?

Yes.  That's complete garbage.

suexec is not designed for the task you are talking about.  You should
look into CGIwrap, which is a little more flexible:
http://cgiwrap.unixtools.org/

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org