On Sat, 26 Feb 2000, Adam Shand wrote:
> > > That involves creating a virtual host for every user. > > > > I was asking whether ~user/cgi-bin can be made to be not under > > /home/user/public_html/cgi-bin but /home/user/cgi-bin. > > with ~username urls it's even easier. i'm not sure how you do it with > suexec It is automatic with suexec. Only you have to enable suexec by setting suexec setuid. > cause i've never tried but with cgiwrap it's trival. a user would > run a cgi via cgiwrap like this: > > http://www.domain.com/cgi-bin/cgiwrap/username/script.cgi > > and the path to user cgi's is hard coded into the cgiwrap program. so when > the above is called it knows to look in ~username/public_html/cgi-bin for > the script. hence joe's complaint about the cgi-wrap program. it could > just as easily look in ~username/cgi-bin and that would mean that there was > no way for someone to poke around in the users cgi-bin directory by going > to: > > http://www.domain.com/~username/cgi-bin > > and viewing the cgi's. > > > The problem with this is that this way the users can't do this > > themselves, but they need me to chown and chgrp their files needing > > protection. They can't create files with www-data.wwwroot, and apache > > won't serve files for which it has only group access rights. > > if it's the users stuff you want to protect you should figure out how to run > ~username accounts via suexec (i'm fairly sure it's possible). that way > they can simply chown all their web pages to them, and chmod 600 all the web > pages. the web server will be able to read them because it runs as the > user, and no one else will be able to read them because they are only > readable by the owner. > Unfortunately with apache, data is always served as www-data.www-data or whatever it is set to in httpd.conf. It does not change uids to serve normal files, since that would need running as root. It does that for cgi-s since that inherently needs a program execution itself... > > Or maybe I only need to restart apache after adding www-data to the > > user's group? (Adding www-data to the user's group pose no problems if > > every cgi is run under the owner's id). > > i don't understand this. i wouldn't add your users to the www-data group. > No. I would add www-data to the user's group. That way it can see the user's file, and it need not be world-readable. However it did not work. But maybe only because I did not restart apache, and it did not have the user's group among its groups. Robert
