I've seen mentioned on several security related web sites that if you are
running Apache in a multi-user environment, it should always be built with
the suexec mechanism enabled to prevent users executing scripts with the
privileges of the web user.
However suexec as a security mechanism is now outdated since it ONLY
applies to cgi-scripts and nothing else. Being as PHP and other engines
are now extremely popular, suexec is quite useless.
It seems to me that there is a far better method of implementing this type
of security strategy. Is it not possible to have apache drop to the user
and group specified in the Virtual Hosts directive when performing ANY and
ALL operations related to that virtual host? I'm amazed it doesn't work
this way now though I admit I have little understanding of the
complexities of this issue.
This would solve a multitude of other issues our users have with
permissions and security. Is there any possible way of implementing this
now? Does Apache 2.x support this?
Regards,
John Lange
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
running Apache in a multi-user environment, it should always be built with
the suexec mechanism enabled to prevent users executing scripts with the
privileges of the web user.
However suexec as a security mechanism is now outdated since it ONLY
applies to cgi-scripts and nothing else. Being as PHP and other engines
are now extremely popular, suexec is quite useless.
It seems to me that there is a far better method of implementing this type
of security strategy. Is it not possible to have apache drop to the user
and group specified in the Virtual Hosts directive when performing ANY and
ALL operations related to that virtual host? I'm amazed it doesn't work
this way now though I admit I have little understanding of the
complexities of this issue.
This would solve a multitude of other issues our users have with
permissions and security. Is there any possible way of implementing this
now? Does Apache 2.x support this?
Regards,
John Lange
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org