| 1 |
Pedro Venda wrote: |
| 2 |
> On Tuesday 28 February 2006 16:14, Ryan James R. wrote: |
| 3 |
>> I am trying to accomplish a mass virtual hosting server where each |
| 4 |
>> website is run from it's own user account. Now I've accomplished |
| 5 |
>> putting the websites into user's ~/public_html directories but Apache |
| 6 |
>> is still running as it's own user so php file managers/admin backends |
| 7 |
>> that are run from these sites. |
| 8 |
>> |
| 9 |
>> I took a look at mod_userdir but I'm not sure if that's what I was wanting. |
| 10 |
>> |
| 11 |
>> From what I see, I think I need something that will allow apache to |
| 12 |
>> spawn with userid of site it is serving. Please correct me if I'm |
| 13 |
>> wrong and give as many suggestions as possible. |
| 14 |
> |
| 15 |
> there is more than one way to acomplish this, but none of them is perfect. |
| 16 |
> generally you loose performance and may gain bonus security holes if you're |
| 17 |
> not careful. |
| 18 |
> |
| 19 |
> * mod_suphp is the easiest and probably the best way to handle this. it allows |
| 20 |
> selective php.ini configurations per vhost if you want and other nice |
| 21 |
> restrictions. the online documentation is NOT up to date. |
| 22 |
> |
| 23 |
> * mod_suexec is a more generic approach. However, when me and my team of |
| 24 |
> sysadmins needed it, we found out that it didn't work exactly as we expected. |
| 25 |
> we wanted it to serve .php files with the php cgi interpreter... if I |
| 26 |
> remember correctly, mod_suexec needed the executable bit set on scripts and |
| 27 |
> a .cgi extension, which would seriously break our installation. Miguel Filipe |
| 28 |
> - a friend of mine - wrote a one-liner patch to make it work as we needed on |
| 29 |
> a solaris apache2 installation we were administrating at the time (around |
| 30 |
> 8000 users).. (http://mega.ist.utl.pt/~miguel/code/) |
| 31 |
Yes, the patch is here |
| 32 |
http://mega.ist.utl.pt/~miguel/code/suexec+php.diff |
| 33 |
|
| 34 |
but just looking through the several errors in the comments and the general |
| 35 |
hackish attitude in the code, I wouldn't recomend using it on production |
| 36 |
servers without further auditing. |
| 37 |
|
| 38 |
Is this patch submitted to the apache team? |
| 39 |
It looks simple enough, but as it is in a vital security area (suexec) it |
| 40 |
may bring big surprises later. |
| 41 |
|
| 42 |
Kalin. |
| 43 |
-- |
| 44 |
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]| |
| 45 |
+-> http://ThinRope.net/ <-+ |
| 46 |
|[ ______________________ ]| |
| 47 |
-- |
| 48 |
gentoo-server@g.o mailing list |
Archives