On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote:
> > On 07-Jun-2000 Robert Varga wrote: > > > > > > On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote: > > > >> > >> On 07-Jun-2000 Robert Varga wrote: > >> > > >> > That is not the same problem. When I refer on users, they are meant as > >> > system users on the webserver, not web visitors. > >> > > >> > What I need is a way to provide separate mysql databases to all > >> > virtualhosts and webserver users, without a possibility for them to > >> > access > >> > each other's databases. > >> > > >> > >> each v host gets a user, the web daemon runs as that user. The mysql > >> passwds > >> are in a file that that user can read. Only people who can learn it are > >> other > >> members of the v host. > >> > > > > No, that is only true if it is a cgi. Apache modules don't change uid-s. > > They always run as set globally in httpd.conf, by default www-data, and > > you cannot override it for virtual hosts. > > > > What you can override is running cgi-s or exec-s from SSI-s. The User / > > Group override for virtual hosts is only for cgi-s run in that virtual > > host. > > > > PHP is an apache module on our site, and if it was run from a cgi > > (php3-cgi package) then performance would decrease due to > > 1. not having persistent connections > > 2. having to load the php interpreter on every request for every php > > page. > > > > apache runs as the vhost user. One apache daemon group per v host. > Nope. It may be true for ip-based virtual hosts, but surely not for namebased virtual hosts. It changes uid and gid only for running cgi-s via suexec. It is sure. You can check it the following way: put a file which should be readable by the uid and gid that is set at the virtual host, but not by www-data.www-data, into that virtual host's webspace. Try to retrieve it with a browser. You will get a 403 error (access forbidden). Therefore it is sure that for normal pages the server and the apache modules (eg php3) run as www-data. I tried it. Regards, Robert Varga
