You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Byron Stanoszek <ga...@winds.org> on 2000/02/18 19:39:40 UTC
config/5777: User,Group keywords in directive does not change file access perms
>Number: 5777
>Category: config
>Synopsis: User,Group keywords in <VirtualHost> directive does not change file access perms
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Feb 18 10:40:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: gandalf@winds.org
>Release: 1.3.11
>Organization:
apache
>Environment:
RH Linux 6.1, Kernel 2.2.14, GCC 2.9.5
>Description:
There is no way to lock down the read access to files located in a Virtual Host
Document tree, apart from the userid apache is running as. Currently, the only
means of having a Virtual Host run as a different user is through the User
command in the <VirtualHost> group. However, this does not seem to work, as the
Suexec program only switches userid when executing CGI's or SSI's.
For example, I would like Apache to be able to do the following:
Run document root website as user 'www'.
Run several different virtual hosts as user 'www'.
Run a secure webserver (different vhost & DocumentRoot) as user 'secureweb'.
DocumentRoot of the secure webserver is set to /usr/local/secureweb.
I would like to be able to chown this directory to the uid 'secureweb' and
set the chmod to 700 and still be read by Apache because the <VirtualHost>
directive has the command 'User secureweb' in it.
Right now, I get access denied messages because user 'www' has no access to
the tree /usr/local/secureweb.
Thanks for reading this report.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]