You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Colm MacCarthaigh <co...@stdlib.net> on 2003/09/01 02:33:01 UTC

[Patch] Allow SuexecUserGroup in 

Patch attachted arose in two parts; originally it was a trivial patch
to allow SuexecUserGroup directives in <directory> blocks, because
a few people needed it, not least a large client ;) It effectively
means it's possible to execute different parts of a [virtual] host
as different users. 

The problem then of course is what to do about disabling this
for sub-directories, and the question of letting the site admin
over-ride suexec generally (like mod_userdir) ... which led
to extending the hook itself. This arose pretty much as the
result of PR9038 (see the text). 

The change to the hook (allow a module to defer to the next one,
or kill the ugid lookup there and then) make the get_identity
hook more useful to modules in general. 

If I can get a non-I'm-crazy response, I'm contemplating a patch to 
mod_rewrite to allow setting the suexec user/group, this will solve 
some very complicated mapping problems we're having on a > 2000 user 
system (using suexec for each, right now we have to symlink everyones 
public_html from an NFS /home, uggh).

This (mod_rewrite stuff) would also help solve the mass vhosting 
suexec problems somewhat, or at least make it a lot easier.

Back to this patch though, things this patch allows;

<VirtualHost foo>
SuexecUserGroup  vuser vgroup
DocumentRoot /www/foo/
...

<Directory /www/foo/bar>
SuexecUserGroup baruser bargroup
</Directory>

<Directory /www/foo/system>
SuexecUserGroup none
</Directory>

Can also do things like;

Userdir public_html

<Directory /home/colmmacc/public_html>
SuexecUserGroup none
</Directory>

Basically allow the site admin full control over where runs as who.
This would also close the ancient PR2760 (from the old bugdb), and
also in the STATUS file that can be removed anyway; 

  921 , suexec now checks cwd first, and has a dedicated logfile
  1120, this is covered by the patch proposed by me much much
        further up the STATUS
  1905, this has been possible since 2.0
  2360, this is basically the perchild mpm

I suspect 2573 and 1268 can be removed, but can't find the bug text.

Now, back to PR1120. Is anyone intrested to see "#exec cmd" working
for suexec ? I may clean up the 15-month old dodgy-patch of mine 
properly.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net
colm@stdlib.net					  http://www.stdlib.net/