Re: Apache and home directories (file browser).

• Previous message: ml_at_sd2i.fr: "Re: Apache and home directories (file browser)."
• In reply to: Andy Dills: "Re: Apache and home directories (file browser)."
• Next in thread: Juan Jose Sanchez Mesa: "RE: Apache and home directories (file browser)."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 17 Feb 2004 11:24:57 -0500
To: isp@freebsd.org

Thus spake Andy Dills (andy@xecu.net) [16/02/04 17:51]:
> > I think this is what I'm looking for, yes. Since I posted this I asked
> > some questions on IRC and somebody mentioned that Apache can be chrooted
> > to the uid of a script's owner (similar in a way to safe_mode in PHP).
> > This would surely then allow files to be read/written by Apache in a
> > secure fashion.

<snip>

> While you can chroot apache, that's serverwide, not per-virtualhost.
>
> If I were you and I wanted to do what you're talking about, I'd use suexec
> with perl scripts. AFAIK, that's the only way to do it correctly.

I get the impression that's what was meant, and this is just a confusion of
terms. You don't chroot to a uid, you generally 'drop' privileges to a uid.

To answer the question..

> > My worry here is that Apache would have to be running as root to
> > chroot -- can anybody confirm this for me? (Indeed, can anybody confirm
> > that it is even possible to do this?)

When you start Apache, you need to start it as root, then it drops
privileges to, for later versions of FreeBSD, uid www. If you have suexec
set up, I don't know exactly how it works, but it drops privileges from root
(who starts httpd) to whichever user suexec is configured to.

  - Damian
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

• Previous message: ml_at_sd2i.fr: "Re: Apache and home directories (file browser)."
• In reply to: Andy Dills: "Re: Apache and home directories (file browser)."
• Next in thread: Juan Jose Sanchez Mesa: "RE: Apache and home directories (file browser)."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: theoretical question - can roots username be changed? ... >> called 'root' on any given Linux box, ... >> unrestrained privileges, why would it be feeble to double the ... >> changing his username. ... > try to change the operation of a process already running at UID ... (Fedora) Re: root group in solaris :Thankyou ... Stick to sudo or RBAC. ... The root group is nothing special. ... Making UID O ... >>I would like to give root user privileges to a set of OS ... (Focus-SUN) RE: root group in solaris ... Typically you would add someone to the 'wheel' user group on a UNIX ... I would like to give root user privileges to a set of OS administrators. ... Is it possible manually to make the GID 0 privileges equivalant of UID ... (Focus-SUN) Re: root group in solaris ... I would like to give root user privileges to a set of OS ... Currently they login with their personal ID and then SU to root. ... Does the "root" group not have root user-id equivalent ... Is it possible manually to make the GID 0 privileges equivalant of UID O? ... (Focus-SUN) Re: enabling/disabling suexec for chrooted httpd ... > and the www user has a uid of 67. ... > install. ... I just wanted to also turn on suexec. ... Probably need to do that as root. ... (comp.unix.bsd.openbsd.misc)