You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sven Karlsson <ka...@gmail.com> on 2005/11/11 23:22:48 UTC
[users@httpd] suexec and shared binaries
Hello,
I'm setting up a hosting site with virtual domains, and to increase security
I intend to run suexec'd php and cgi's.
I'd also like to keep redundancy to a minimum; i.e. only one copy of php in
/usr/lib/cgi-bin . If I need to upgrade php, I'd like to do it in one place,
not messing with users cgi-bin directories.
Now, suexec requires that both the cgi (in this case php) and its directory
is owned by the vhost owner/uid, otherwise it refuses to execute.
So my question is, is there some way of having a "shared" cgi-bin where
suexec does not care about the file owner, or perhaps accepts one uid (a
"sharedcgi" user) as owner.
Of course, the source can be modified, but the documentation strongly
advices against this... so if there is some other solution, I'm all ears!
Thanks,
Sven
Re: [users@httpd] suexec and shared binaries
Posted by Joshua Slive <js...@gmail.com>.
On 11/11/05, Sven Karlsson <ka...@gmail.com> wrote:
> Hello,
>
> I'm setting up a hosting site with virtual domains, and to increase security
> I intend to run suexec'd php and cgi's.
>
> I'd also like to keep redundancy to a minimum; i.e. only one copy of php in
> /usr/lib/cgi-bin . If I need to upgrade php, I'd like to do it in one
> place, not messing with users cgi-bin directories.
>
> Now, suexec requires that both the cgi (in this case php) and its directory
> is owned by the vhost owner/uid, otherwise it refuses to execute.
>
> So my question is, is there some way of having a "shared" cgi-bin where
> suexec does not care about the file owner, or perhaps accepts one uid (a
> "sharedcgi" user) as owner.
>
> Of course, the source can be modified, but the documentation strongly
> advices against this... so if there is some other solution, I'm all ears!
You may want to look into cgiwrap, which has a different set of
security rules. suexec will not allow what you want.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org