You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mickaël CANÉVET <ca...@embl.fr> on 2012/02/28 09:32:42 UTC
[users@httpd] Fork as 'REMOTE_USER' instead of 'User'
Hi,
I'd like to know if there is a way to tell apache httpd to fork as
'REMOTE_USER' instead of 'User' variable defined in httpd.conf.
The idea is to export a filesystem through HTTP (Dav), and instead of
giving apache's user read/write access on the files and play
with .htaccess for each folder, let apache fork as the authenticated
user so that I can use POSIX rights to give access.
Thanks in advance for your answers.
Mickaël
Re: [users@httpd] Fork as 'REMOTE_USER' instead of 'User'
Posted by Mickaël CANÉVET <ca...@embl.fr>.
Thanks a lot for pointing me out this page. I do understand now why this
doesn't exist by default.
Wouldn't it be possible to modify mpm-itk a bit to fork as connected
user instead of statically defined users ?
On Tue, 2012-02-28 at 08:32 -0500, Mark Montague wrote:
> On February 28, 2012 3:32 , =?ISO-8859-1?Q?Micka=EBl_CAN=C9VET?=
> <ca...@embl.fr> wrote:
> > I'd like to know if there is a way to tell apache httpd to fork as
> > 'REMOTE_USER' instead of 'User' variable defined in httpd.conf.
> >
> > The idea is to export a filesystem through HTTP (Dav), and instead of
> > giving apache's user read/write access on the files and play
> > with .htaccess for each folder, let apache fork as the authenticated
> > user so that I can use POSIX rights to give access.
>
>
> What you're talking about is called "Privilege separation". Please see
> the wiki page on the subject, which goes into the topic in detail and
> discusses the difficulties and various potential solutions:
>
> https://wiki.apache.org/httpd/PrivilegeSeparation
>
>
> --
> Mark Montague
> mark@catseye.org
>
Re: [users@httpd] Fork as 'REMOTE_USER' instead of 'User'
Posted by Mark Montague <ma...@catseye.org>.
On February 28, 2012 3:32 , =?ISO-8859-1?Q?Micka=EBl_CAN=C9VET?=
<ca...@embl.fr> wrote:
> I'd like to know if there is a way to tell apache httpd to fork as
> 'REMOTE_USER' instead of 'User' variable defined in httpd.conf.
>
> The idea is to export a filesystem through HTTP (Dav), and instead of
> giving apache's user read/write access on the files and play
> with .htaccess for each folder, let apache fork as the authenticated
> user so that I can use POSIX rights to give access.
What you're talking about is called "Privilege separation". Please see
the wiki page on the subject, which goes into the topic in detail and
discusses the difficulties and various potential solutions:
https://wiki.apache.org/httpd/PrivilegeSeparation
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org