please hack apart this solution and point out the error/insecure nature of the setup. goal, provide php access to name based virtual hosts on FreeBSD boxes problem, security of PHP access to base system and other user scripts solution, apache compiled with suexec # set user and group to unique chown USERID:USERID /path/to/user/html/directory # no public access to any files under here that # you don't want public reading, like scripts # with database login information in them chmod -R 0750 /path/to/user/html/directory # set group sticky execution... we will run # apache as this unique group so may not be needed chmod g+s /path/to/user/html/directory >in apache's httpd.conf # set each virtual host to run any accesses # as the group USERID giving them only access # to this directory... defeats PHP directory # and shell scripts as long as no public read bits # are set <virtual *> ServerName whatever.com Group USERID </virtual> Sufficient? you end up with http://test1.com and http://test2.com being unable to create PHP scripts or do listings of any other virtual user directory since they are not of the same group, but accesses to the site are made by invoking apache as that group for that session. directory tree drwxr-s--- 2 user1 user1 512 Aug 19 18:23 vtest1 drwxr-s--- 2 user2 user2 512 Aug 19 18:26 vtest2 with directory groups set in the httpd.conf for user1 in vtest1 and user2 in vtest2, neither user should be able to use PHP filesystem functions to browse the other directories as long as no public bits are set, and apache server requests still server the documents from the directories since each users directory has an Group user1 (or user2) set for his directory in the directory or virtual container, thus executing the apache requsts as the appropriate user and not the generic www user. Please feel free to point out any errors in my logic... it appears pretty solid from here. Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
