You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Martijn de Munnik <ma...@youngguns.nl> on 2008/03/21 12:21:54 UTC
[users@httpd] ZFS ACL and apache suexec
Hi,
I'm trying to get my apache webserver as secure as possible. The
server is used for multiple virtual hosts and I want to isolate each
vhost host. I used this document as a guide
http://snippets.dzone.com/posts/show/81
everything works fine. Each vhost is under a separate unix user/group
and apache is running as nobody/nobody. The user nobody is also in all
the usergroups but Solaris has a limit of 32 additional groups a user
can be in. So there's my problem. I though the solution would be ZFS
ACL's and tried that. The user nobody can navigate in the public_html
directory of the vhost (nobody is not in the usergroup anymore) and
apache shows HTML files. But when I want to show php files something
goes wrong:
Forbidden
You don't have permission to access /php-fastcgi/php5-cgi/index.php on
this server.
Additionally, a 403 Forbidden error was encountered while trying to
use an ErrorDocument to handle the request.
Nothing shows up in the logs. When I run a php script on a vhost which
is configured the old way (nobody is in the usergroup) I get lines
like these:
[Fri Feb 29 08:03:57 2008] [warn] FastCGI: (dynamic) server "/opt/csw/
apache2/share/htdocs/suexec/xxxxxxx.nl/php5-cgi" (uid 10003, gid
10001) started (pid 8253)
All the config files and scripts are the same so the problem should be
file permissions I guess, any ideas?
thanks,
Martijn de Munnik
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org