You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Admin Mailing Lists <ml...@intergrafix.net> on 2000/02/22 15:55:38 UTC
new Apache::ASP user
I couldn't fine a specific mailing list for Apache::ASP so I'm posting
here. I just set mod_perl (1.21) and Apache::ASP up on my hosting server
(linux, apache 1.3.9+1.3.7 SSL patch+mod_frontpage patch)
We're an ISP and i'm wondering what's the best (easiest,securest) way to
set this up for domains we host. Each domain has their own document root
and httpd.conf file. Configuration directives and docroot file/directory
configs would be appreciated.
Thanx,
-Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
admin@intergrafix.net Intergrafix Internet Services
"Dream as if you'll live forever, live as if you'll die today"
http://cygnus.ncohafmuta.com http://www.intergrafix.net
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Re: new Apache::ASP user
Posted by Joshua Chamas <jo...@chamas.com>.
Admin Mailing Lists wrote:
>
> Each domain runs with their own httpsd processes.
> Their files are chowned to ftpuser.group
> where ftpuser is a member in group
> and another user, virtualuser, is a member of group.
> and the apache server runs as user virtualuser, group virtualuser
> Example..
> Domain: testweb.com
> Group: test-w
> FTPuser: testuser (member of test-w)
> Virtual user: test-w (member of test-w)
> Apache config: User test-w
> Group test-w
> doc files chowned to testuser.test-w (and ideally chmoded to 640,750)
>
> So can I set state dir to a directory chowned to testuser.test-w with
> permissions of 770? I assume this should be outside the web docroot
> for the domain too?
>
StateDir is by default 750, and since your ftpuser should
not need access to state files, this should be adequate.
If you do need to modify this behavior, you can change the
permissions in Apache::ASP by just finding the 0750 and
0640 entries ... this has come up a few times recently,
should these be user configuration directives ?
Is there any reason why your FTPuser & www user are different?
This seems to make things harder than they have to be.
You will run into other related problem when the web server
creates files with 0640, but the the ftp user wants write
access to them.
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
Re: new Apache::ASP user
Posted by Admin Mailing Lists <ml...@intergrafix.net>.
Each domain runs with their own httpsd processes.
Their files are chowned to ftpuser.group
where ftpuser is a member in group
and another user, virtualuser, is a member of group.
and the apache server runs as user virtualuser, group virtualuser
Example..
Domain: testweb.com
Group: test-w
FTPuser: testuser (member of test-w)
Virtual user: test-w (member of test-w)
Apache config: User test-w
Group test-w
doc files chowned to testuser.test-w (and ideally chmoded to 640,750)
So can I set state dir to a directory chowned to testuser.test-w with
permissions of 770? I assume this should be outside the web docroot
for the domain too?
-Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
admin@intergrafix.net Intergrafix Internet Services
"Dream as if you'll live forever, live as if you'll die today"
http://cygnus.ncohafmuta.com http://www.intergrafix.net
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
On Tue, 22 Feb 2000, Joshua Chamas wrote:
> Admin Mailing Lists wrote:
> >
> > I couldn't fine a specific mailing list for Apache::ASP so I'm posting
> > here. I just set mod_perl (1.21) and Apache::ASP up on my hosting server
> > (linux, apache 1.3.9+1.3.7 SSL patch+mod_frontpage patch)
> > We're an ISP and i'm wondering what's the best (easiest,securest) way to
> > set this up for domains we host. Each domain has their own document root
> > and httpd.conf file. Configuration directives and docroot file/directory
> > configs would be appreciated.
> >
>
> The secure setup will depend on whether you allow your customers
> to publish their own code, or it you write it for them. If
> you write it for them, no big deal, just set StateDir to a
> separate location for each VirtualHost.
>
> The big problem is when your clients are publising their
> own code ... because mod_perl is a persistent perl interpreter,
> and will run under the same apache web server, your clients
> would have access to each others data if all run under the
> same server.
>
> Though I have not implemented this solution myself, the best way
> seems to be to run a separate web server on a higher port for each
> user that needs mod_perl under their user name. Then have a web
> server proxy request for that VirtualHost to the user web server
> on the backend. This solution will place a significant drain on
> your hardware RAM, but you only need to fun a few processes on
> the back end, if you have a proxy on the front.
>
> This solution is not specific to Apache::ASP, as this is a
> general mod_perl problem. Anyone else have other mod_perl ISP
> solutions ?
>
> If you don't really need mod_perl's speed for your customers,
> there is the possibility of getting Apache::ASP to run as
> a CGI program, but this will be a pretty slow option. Security
> will then fall back into the general CGI domain, like suexec.
>
> -- Joshua
> _________________________________________________________________
> Joshua Chamas Chamas Enterprises Inc.
> NodeWorks >> free web link monitoring Huntington Beach, CA USA
> http://www.nodeworks.com 1-714-625-4051
>
Re: new Apache::ASP user
Posted by Joshua Chamas <jo...@chamas.com>.
Admin Mailing Lists wrote:
>
> I couldn't fine a specific mailing list for Apache::ASP so I'm posting
> here. I just set mod_perl (1.21) and Apache::ASP up on my hosting server
> (linux, apache 1.3.9+1.3.7 SSL patch+mod_frontpage patch)
> We're an ISP and i'm wondering what's the best (easiest,securest) way to
> set this up for domains we host. Each domain has their own document root
> and httpd.conf file. Configuration directives and docroot file/directory
> configs would be appreciated.
>
The secure setup will depend on whether you allow your customers
to publish their own code, or it you write it for them. If
you write it for them, no big deal, just set StateDir to a
separate location for each VirtualHost.
The big problem is when your clients are publising their
own code ... because mod_perl is a persistent perl interpreter,
and will run under the same apache web server, your clients
would have access to each others data if all run under the
same server.
Though I have not implemented this solution myself, the best way
seems to be to run a separate web server on a higher port for each
user that needs mod_perl under their user name. Then have a web
server proxy request for that VirtualHost to the user web server
on the backend. This solution will place a significant drain on
your hardware RAM, but you only need to fun a few processes on
the back end, if you have a proxy on the front.
This solution is not specific to Apache::ASP, as this is a
general mod_perl problem. Anyone else have other mod_perl ISP
solutions ?
If you don't really need mod_perl's speed for your customers,
there is the possibility of getting Apache::ASP to run as
a CGI program, but this will be a pretty slow option. Security
will then fall back into the general CGI domain, like suexec.
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051