You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Igor Seletskiy <is...@cloudlinux.com> on 2012/05/16 01:03:22 UTC

SuexecUserGroup inside Directory context

Is there any security (or technical) reason for not allowing
SuexecUserGroup to be defined inside <Directory> context?
Judging by the code -- it should be trivial to implement, but I wanted to
check if there are any pitfalls/reasons for not doing so.

The use case where it is needed:
Shared hosting, each virtual hosts runs as a particular user.
Yet, there are single installation of roundcube, phpmysql, etc, per server.
Access to is defined via Alias, like this:

Alias /phpmyadmin "/var/www/html/phpMyAdmin/"****

Alias /squirrelmail "/var/www/html/squirrelmail/"****

Alias /roundcube "/var/www/html/roundcube/"


That way customer can access webapp using:
http://customerdomain.com/roundcube
The applications runs as user (due to SuexecUserGroup in VirtualHost for
the customer). So, php files for that application has to be readable by
that user.
Yet, they might contain some sensitive information that end user shouldn't
know - like mysql login/password.

If we could define something like:
<Directory /var/www/html/roundcube/>
  SuexecUserGroup roundcubeuser roundcubegroup
  ....
</Directory>

It would solve the security issue.





Regards,
Igor Seletskiy
CEO @ Cloud Linux Inc
http://www.cloudlinux.com
Phone: 609-785-1322
Skype: iseletsk
GTalk: iseletsk@gmail.com
Follow me on http://twitter.com/iseletsk for CloudLinux technical updates
https://helpdesk.cloudlinux.com -- 24/7 Free, exceptionally good support