Interesting. A stub runs as root, yes, but all the threads that actually handle requests are running as the correct non-priveleged user on my system.
I've never experienced a problem with cgi-php and very much doubt debian would provide it as a package if it provided such a big hole. Regards, Phillip Baker LC Host Administrator [EMAIL PROTECTED] ----- Original Message ----- From: "Marcin Sochacki" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 01, 2002 4:29 PM Subject: Re: Apache/PHP/FTP and user rights > On Thu, Aug 01, 2002 at 03:40:23PM +0200, [EMAIL PROTECTED] wrote: > > I'm facing a problem I thought would be fairly easy to deal with, but > > haven't found a proper solution. Here it is : > > > > We have a web werver hosting a few tens of customers using > > VirtualHosts. We have mod_php and use FTP for updates, each customer > > having its own UID. > [...] > > > What we consider the "right" solution would be to have Apache run as > > user.user in each virtual host. This seems to be doable with > > User/Group directives. Unfortunatly : > Apache doesn't honor those options in virtual host context, unless run > as root and recompiled with some -DBIG_SECURITY_HOLE option. > Obviously this is not a very secure solution. > > Take a look here: > http://ftw.zamosc.pl/~lw/mdp/ > http://luxik.cdi.cz/~devik/apache/ > > Wanted > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
