Mailing List Archive

} >
} > Hi,
} > We're using Apache as our Web server and we plan to use the VirtualHost
} > feature.
} > But we'd like differents pseudo-server to run under different users/groups
.
} > Unfortunately 'User' and 'Group' are not part of the options that can be
} > set in the VirtualHost section.
} > I think it'd be worth adding this to the configuration. What do you think?
} > Regards.

Comments here address 0.7.x and 0.8.x apache releases, since 0.6.x is
forking, it's not as much an issue.

This can't easily be done securely. Since the same processes are serving
many different hosts, there would need to be a way to switch user ID's when
each request was received. There are differences in UNIX varients how
one can "get back root uid" without using singles so portability would suffer
also. The last resort of keeping the daemon as root until a request comes
in does not sit well with me either since the process would have to switch
back to root when it was completed. Httpd is too big to run as root IMHO.

This is an argument for "BindAddress" functionality. Perhaps we should
document that and add it into the new framework :(

Cliff

From: Rob Hartill <hartill@hyperreal.com>
Date: Thu, 20 Jul 1995 12:15:46 -0700 (PDT)
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

Forwarded message:
> From tigo@publicis.fr Wed Jul 19 05:46:25 1995
> Message-Id: <199507191248.OAA09023@sphinx.publicis.fr>
>
> Hi,
> We're using Apache as our Web server and we plan to use the VirtualHost
> feature.
> But we'd like differents pseudo-server to run under different users/groups.
> Unfortunately 'User' and 'Group' are not part of the options that can be
> set in the VirtualHost section.
> I think it'd be worth adding this to the configuration. What do you think?
> Regards.
>

That can be done by running multiple servers using BindAddress, with a
different uid for each server. (In fact, it's the only reason left
that I'm aware of for using BindAddress with 0.8.x). It *may* be
possible to implement in a single server pool by having the pool
members carefully juggle their real and effective uids, but that would
involve giving root privilege to the processes which actually do I/O,
which is something we presently avoid; also, the details may turn out
to be somewhat less than fully portable (I honestly don't know, but
this is the sort of thing that tends to give me the heebie-jeebies).

rst

From: Rob Hartill <hartill@hyperreal.com>
Date: Thu, 20 Jul 1995 12:15:46 -0700 (PDT)
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

Forwarded message:
> From tigo@publicis.fr Wed Jul 19 05:46:25 1995
> Message-Id: <199507191248.OAA09023@sphinx.publicis.fr>
>
> Hi,
> We're using Apache as our Web server and we plan to use the VirtualHost
> feature.
> But we'd like differents pseudo-server to run under different users/groups.
> Unfortunately 'User' and 'Group' are not part of the options that can be
> set in the VirtualHost section.
> I think it'd be worth adding this to the configuration. What do you think?
> Regards.
>

That can be done by running multiple servers using BindAddress, with a
different uid for each server. (In fact, it's the only reason left
that I'm aware of for using BindAddress with 0.8.x). It *may* be
possible to implement in a single server pool by having the pool
members carefully juggle their real and effective uids, but that would
involve giving root privilege to the processes which actually do I/O,
which is something we presently avoid; also, the details may turn out
to be somewhat less than fully portable (I honestly don't know, but
this is the sort of thing that tends to give me the heebie-jeebies).

rst