>> The problem with this setup is that I have to have o+rx permission on >> directories and non-executables, which is a little messy (and I'm not >> sure >> whether vsftpd can handle this). >> Plus everyone on the machine can now read the files. >> >> Ack. > > Well, to get /proper/ isolation you have to run separate Apache > instances... :) > > You could try a compromise along the lines of that suggested by Upayavira, > except > you hit NGROUPS_MAX as you noted. > > Wild Ass Suggestion: If you made each user VirtualHost directory uid > <user> gid > www-data, and mode 2750 (note the setgid bit there), and have only Apache > in group > www-data, might that not work? [Am I missing something obvious?]
I think I'd get an error from suexec complaining about a User/Group mismatch. > The biggest problem then is that users can piggyback off Apache's group > www-data > access by running scripts. Perhaps this could be surmounted with suexec, > by forcing > scripts to run as the User/Group you specify. Users might have to > manually chgrp > their scripts to their "User Private Group" in this scenario though, which > is a > disadvantage. > > But I should shut up now... I have to defer at this point to someone with > more > experience at running large Apache installations. 8-P > > Regards, > > Blair. > > Anyone? :)
