Re: secret data for php pages
On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote:
>
> On 07-Jun-2000 Robert Varga wrote:
> >
> >
> > On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote:
> >
> >>
> >> On 07-Jun-2000 Robert Varga wrote:
> >> >
> >> > That is not the same problem. When I refer on users, they are meant as
> >> > system users on the webserver, not web visitors.
> >> >
> >> > What I need is a way to provide separate mysql databases to all
> >> > virtualhosts and webserver users, without a possibility for them to access
> >> > each other's databases.
> >> >
> >>
> >> each v host gets a user, the web daemon runs as that user. The mysql
> >> passwds
> >> are in a file that that user can read. Only people who can learn it are
> >> other
> >> members of the v host.
> >>
> >
> > No, that is only true if it is a cgi. Apache modules don't change uid-s.
> > They always run as set globally in httpd.conf, by default www-data, and
> > you cannot override it for virtual hosts.
> >
> > What you can override is running cgi-s or exec-s from SSI-s. The User /
> > Group override for virtual hosts is only for cgi-s run in that virtual
> > host.
> >
> > PHP is an apache module on our site, and if it was run from a cgi
> > (php3-cgi package) then performance would decrease due to
> > 1. not having persistent connections
> > 2. having to load the php interpreter on every request for every php
> > page.
> >
>
> apache runs as the vhost user. One apache daemon group per v host.
>
Nope. It may be true for ip-based virtual hosts, but surely not for
namebased virtual hosts.
It changes uid and gid only for running cgi-s via suexec. It is sure.
You can check it the following way:
put a file which should be readable by the uid and gid that is set at the
virtual host, but not by www-data.www-data, into that virtual host's
webspace.
Try to retrieve it with a browser. You will get a 403 error (access
forbidden).
Therefore it is sure that for normal pages the server and the apache
modules (eg php3) run as www-data.
I tried it.
Regards,
Robert Varga
Reply to: