Apache to honour group set?

[Christian Walther <cp...@web.de>]

Hi,

in a normal environment Apache is running as a specific, most of the time dedicated user, having a special group ID, too.  As usefull this feature normal is for security reasons, it drives me into some problems:
I'm currently developing a cgi-bin to display/browse data contained in a repository. The data stored in there is generated by different projects. Access control for these projects is done by group settings on file system level. Target platforms for this software are AIX 4.3.3 and Sparc/Solaris 8.
The problem is that Apache of course accepts only one group, the one stated in httpd.conf (and, for some reasons, "stuff", at least according to the ouput of `id`when called from within a CGI-bin). But since I need to access directories/files that have other group ids set, this isn't of any use.
I checked the apache manual and FAQ for a directive/compile option to remove this, a google search revealed nothing of use, too.

I thought about using "sudo", but this is not a good solution because, for some reasons, different departments are responsible for the administration of the tools. "sudo" is said to be a system related tool, therefore sudo administration is not done by my department. But the configuration of the software depends on the configuration of the repository and the location where the software is used (e.g. number of groups, group names, GIDs, group members etc.). Additionally the configuration can change every day, for example when a new project is invented, using a new group. The administration process would be far to difficult.
Including sudo into the software isn't a possibility since this would be said to be a security risk for the rest of the system (since the department normally doing sudo-administration has no control over its configuration).

Using suexec isn't a good choice, too, because - as I understood the manual - the UID/GID a cgi-bin will be executed as needs to be set on file system level. This would mean that I need to create a copy for each group used for the repository, thus creating a huge overhead.

My favorite option would be to remove Apaches' limitation, so that it honours the group set given by the system. In this case I could switch the group within a cgi-bin without any problem. So my question is if anybody has any experience with this and knows some places I should take a look at?
BTW: Security in this environment is no problem, because the user the Apache is running as has only read only-permissions on the entire repository and the repository is of cause not contained within the Document-Root.

Regards
Christian Walther

______________________________________________________________________________
Die clevere Geldreserve: der DiBa-Privatkredit. Funktioniert wie ein Dispo, 
ist aber viel günstiger! Alle Infos: http://diba.web.de/?mc=021104


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache to honour group set?

["J. Greenlees" <ja...@shaw.ca>]

Christian,

did you try setting apache to run under either nobody.nobody?
that often flags the system to allow the use of any file in cgi.

the other user.group option that may help is root.root.

though setting it to the last may cause some system security issues, 
since it gives pache unlimited access by default, making people able to 
get where they shouldn't.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org