Apache - Set UID based on UID of target file

Hi Folks,

Ive been searching around the net for a few days trying to find an answer to
this and so far, im coming up pretty much dry.

The solution that i am looking for can be for apache 1 or apache 2 since
there is nothing so far that requires me to use either version specifically.

My question is about virtualhosts and setting the current userid of the
apache process based on the target.

Basically, i am trying to setup a system that uses the mass dynamically
configured virtual hosting feature of apache.
I want to enable PHP for all the sites but i am having difficulty securing
it to prevent one site from accessing the files of another site.

the safe mode option in PHP almost achieves what i am looking for but there
appears to be a flaw in it. the flaw is that any files that are created by
the php script, are owned by the user that apache is running under.

I was reading somewhere (apache 2 docs i think) that you can run apache as
root (sounds scary) and then get it to change the user of the process that
is handling a request to the user that is specified in the <virtualhost>
section for that particular site. (this assumes that you are not using the
mass dynamically configured method)

I need a way to do this but in a mass dynamically configured enviroment.
Ideally, the process needs to assume the userid of the file that has been
requested. (a bit like the safe mode option in php although that does not
actually change the user.)

I did come across a module that someone had written somewhere that did just
that but it was for an old version of apache and did not look to have been
updated.
Im guessing that it has not been updated becuase an alternative exists that
is probably staring me in the face and i cant see it!!!

Any ideas anyone?

Many Thanks,

James Sefton

On 2004-08-25, James Sefton <ng@phase5.co.uk> wrote:
> this and so far, im coming up pretty much dry.

I've never see such a solution and, AFAIK, the only thing you could
do was to run 'n' Apache processes, one for every VHost.

> I was reading somewhere (apache 2 docs i think) that you can run apache as
> root

If you want Apache to run on port 80 you have to run it as root, since
only root can open a port < 1024.

Davide

--
Sure he's sharp as a razor ... he's a two-dimensional pinhead!

Hi David,

I was not aware of the restriction on ports <1024. My apache does start as
root but then the user directive changes it to 'nobody'.

You can (could) use the 'User' directive in a <virtualhost> container to
change the user that the process is running as.

See: http://httpd.apache.org/docs-2.0/mod...mmon.html#user

However, i just noticed a note that this option is no longer supported in a
<virtualhost> container.

The facility is/was clearly there to be able to change the current user of
the process (although it has been disabled for the virtualhost containers
now), i just need to find a way to do it based on on the target file.
I think i am going to go and find that module that i was talking about
earlier and see if the person that put it together has the source code for
it for download. Maybe i can make a small modification to the main apache
source before compiling to add the feature.

Anyone with any experience of doing this, i could really use your comments.

Regards,

- James

"Davide Bianchi" <davideyeahsure@onlyforfun.net> wrote in message
news:slrncipinm.1i7.davideyeahsure@fogg.onlyforfun .net...
> On 2004-08-25, James Sefton <ng@phase5.co.uk> wrote:
> > this and so far, im coming up pretty much dry.
>
> I've never see such a solution and, AFAIK, the only thing you could
> do was to run 'n' Apache processes, one for every VHost.
>
> > I was reading somewhere (apache 2 docs i think) that you can run apache
as
> > root
>
> If you want Apache to run on port 80 you have to run it as root, since
> only root can open a port < 1024.
>
> Davide
>
> --
> Sure he's sharp as a razor ... he's a two-dimensional pinhead!

On 2004-08-25, James Sefton <ng@phase5.co.uk> wrote:
> I was not aware of the restriction on ports <1024. My apache does start as
> root but then the user directive changes it to 'nobody'.

yes, this is the default.

> However, i just noticed a note that this option is no longer supported in a
><virtualhost> container.

The problem is that Apache spawn multiple childs, each one can serve
multiple VHost depending on how many requests the VHost receives,
if the child have to switch User everytime, it become reaaaaallly slow
and basically the advantage of multichild is wasted.

> Anyone with any experience of doing this, i could really use your comments.

I've some experience in messing with Apache's modules, but
never this far. Anyhow, feel free to mail me, if I can be of any
help... remove 'yeahsure' from the e-mail.

Davide


--
If you don't have a nasty obituary you probably didn't matter.
-- Freeman Dyson

Its such a pleasure to see someone so enthusiastic about helping a complete
stranger with something that is not any of their concern.
You are a credit to this community.

Your offer to help with what i am doing is very kind and when i have a real
need for it, i may contact you.
However, you indicated that this 'changing users' that i am trying so hard
to achieve would likely create such additional overhead that it would be
pointless to be using dynamically configured virtual hosts over the standard
ones. If this is the case (which i dont doubt what you said) then it is not
suitable for what i am trying to achieve.

I am basically trying to make a server as robust as i can with my limited
knowledge to be able to host as many 'very small' sites as possible.

I have another idea for getting the level of security that i want while
still being able to use the dynamic hosts which i am going to try out.
I wont bore you with the details because it may not work but if you do for
any reason want to know, leave a message here and i will try and remember to
post what i did and if it worked when im done.

Regards,

- James

"Davide Bianchi" <davideyeahsure@onlyforfun.net> wrote in message
news:slrncipjqj.1i7.davideyeahsure@fogg.onlyforfun .net...
> On 2004-08-25, James Sefton <ng@phase5.co.uk> wrote:
> > I was not aware of the restriction on ports <1024. My apache does start
as
> > root but then the user directive changes it to 'nobody'.
>
> yes, this is the default.
>
> > However, i just noticed a note that this option is no longer supported
in a
> ><virtualhost> container.
>
> The problem is that Apache spawn multiple childs, each one can serve
> multiple VHost depending on how many requests the VHost receives,
> if the child have to switch User everytime, it become reaaaaallly slow
> and basically the advantage of multichild is wasted.
>
> > Anyone with any experience of doing this, i could really use your
comments.
>
> I've some experience in messing with Apache's modules, but
> never this far. Anyhow, feel free to mail me, if I can be of any
> help... remove 'yeahsure' from the e-mail.
>
> Davide
>
>
> --
> If you don't have a nasty obituary you probably didn't matter.
> -- Freeman Dyson

"Davide Bianchi" <davideyeahsure@onlyforfun.net> wrote in message
news:slrncipinm.1i7.davideyeahsure@fogg.onlyforfun .net...
> On 2004-08-25, James Sefton <ng@phase5.co.uk> wrote:
>> this and so far, im coming up pretty much dry.
>
> I've never see such a solution and, AFAIK, the only thing you could
> do was to run 'n' Apache processes, one for every VHost.

Incidentally, you do this with the "per-child" MPM, which I think is still
in the alpha development cycle.

The problem of running PHP suexec (as with CGI) is one that I think a lot of
people have encountered, and I'm one of them. So far I've found no solution
that enforces suexec on all user's PHP scripts. However, as I needed some of
my own PHP scripts to be run suexec in order for them to work correctly, the
workaround I used was to use CGI and apache's suexec wrapper to handle my
scripts (with a #!/usr/bin/php line at the top), this does the trick, but
you lose the performance boost gained by having PHP as an apache module.

I've also heard about kernel hacks in Linux (echoing something to /proc/elf
or similar) that will allow PHP scripts to be executed directly without the
need for a #! line, which would allow you to force your users into using the
mechanism described above without requiring them to modify all their
scripts. I never investigated this further however, as I do not use Linux,
and couldn't find a similar feature in FreeBSD.

Hope this helps


~Kieran