allen at modwest.com
allen at modwest.com
Wed Nov 7 12:56:12 EST 2001
Thanks for your answer. It's what I needed to know. I looked at the MPM stuff in Apache 2.0 and it looks like you need to specify "AssignUserId" in a <VirtualHost> container of the httpd.conf file. That sort of defeats the purpose of mod_vhost_alias which let you make a directory and be on your way with a new virtual host. Since Apache 2.0 will be capable of changing the UID of the child process anyway, it would have been great if they could just make the child process the same UID as the file that was about to be served. That would fix mod_php and mod_python so that user's scripts can only do what that user can do. No need to change httpd.conf and restart apache every time you get a new user. Allen On Wed, 7 Nov 2001, Gregory (Grisha) Trubetskoy wrote: > > > On Tue, 6 Nov 2001 allen at modwest.com wrote: > > > Does mod_python have something similar to or better than "safe mode"? If > > you are running mod_python can any user on the system write a python > > script that can do anything the webserver has permission to do? > > Yes, pretty much. > > I'm not familiar with what PHP does, though at first glance this looks > like semi-security - if the process still runs as the httpd user, there's > probably still a great risk of someone finding a way around the barriers > PHP imposes... But then again I don't know first thing about it. > > Apache 2.0 should have a native solution to this problem > (http://httpd.apache.org/docs-2.0/mod/perchild.html), so there is probably > no point in trying to engineer something through mod_python, especially > considering I have no control over the actual Python interpreter code > itself (unlike the PHP people). > > Grisha > >
|