[BBLISA] Dual access to files by webserver and user.
Alex Aminoff
alex at basespace.net
Tue Nov 15 15:59:48 EST 2011
About a decade ago I do recall solving a similar problem by running
apache as root and using some sort of setuid capability such that apache
would become the user in question, and thus have all of their
permissions. This approach was strongly discouraged since it opens up
your system to anyone who can find a security hole in apache. Perhaps it
could be made slightly safer if apache was run inside a chroot jail of
some sort that included homedirs but not the rest of the system?
Documentation for mod_suid says "thus you have to compile and configure
Apache2 with -DBIG_SECURITY_HOLE option". I chuckled.
As an alternative to running all of apache as root, you could
setuid-enable just those functions that need to be done by the user.
Still dangerous though.
- Alex
More information about the bblisa
mailing list