Stefan Fritsch wrote: >> So the actual item for the wishlist is to be able to specify a user >> (or more than one) that are considered trusted. Suexec will then >> allow files owned by either the target user, or by a trusted user, >> to be executed. > > First of all, have you looked at > > suphp > sbox-dtc > cgiwrap/php-cgiwrap > > to see if any of them meet your needs? I don't know any of them but > maybe one of them already has the feature you need.
Yes, I've looked at them. The problem is that libapache2-mod-fastcgi is written in mind to be used together with suexec. The calling convention usually is different for other programs like suphp. > > Second, you could use "chattr +i" to prevent users from changing the > wrapper. This is somewhat fragile, though, because backup programs > usually will not restore the immutable flag. I've tried that approach, and it is indeed fragile. Certainly when I want the cgi script itself to be autogenerated by another script, which takes into account user preferences etc. > > Apart from that, allowing scripts owned by root to be executed as any > user would certainly create (local) security issues. Using a > dedicated user might be possible, though. Why would running a root-owned script as a local user create a security issue? > > But I intend to keep apache2-suexec-custom as close as possible to the > normal suexec and would prefer to not add any more features. I understand that. The patch is quite trivial though. Are there any other options besides maintaining my local patch? It's unfortunate I have to maintain this local patch. I know many people have the same setup as me, and also have to patch suexec themselves. Thanks, Alexander -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
