Re: secret data for php pages

To: Sean 'Shaleh' Perry <shaleh@valinux.com>
Cc: Andrew Sullivan <sullivana@bpl.on.ca>, debian-user@lists.debian.org, debian-isp@lists.debian.org
Subject: Re: secret data for php pages
From: Robert Varga <robi@piros.zold.net>
Date: Wed, 7 Jun 2000 20:31:22 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.3.96.1000607202441.32202E-100000@piros.zold.net>
In-reply-to: <[🔎] XFMail.20000607112338.shaleh@valinux.com>


On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote:

> 
> On 07-Jun-2000 Robert Varga wrote:
> > 
> > 
> > On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote:
> > 
> >> 
> >> On 07-Jun-2000 Robert Varga wrote:
> >> > 
> >> > That is not the same problem. When I refer on users, they are meant as
> >> > system users on the webserver, not web visitors.
> >> > 
> >> > What I need is a way to provide separate mysql databases to all
> >> > virtualhosts and webserver users, without a possibility for them to access
> >> > each other's databases.
> >> > 
> >> 
> >> each v host gets a user, the web daemon runs as that user.  The mysql
> >> passwds
> >> are in a file that that user can read.  Only people who can learn it are
> >> other
> >> members of the v host.
> >> 
> > 
> > No, that is only true if it is a cgi. Apache modules don't change uid-s.
> > They always run as set globally in httpd.conf, by default www-data, and
> > you cannot override it for virtual hosts.
> > 
> > What you can override is running cgi-s or exec-s from SSI-s. The User /
> > Group override for virtual hosts is only for cgi-s run in that virtual
> > host.
> > 
> > PHP is an apache module on our site, and if it was run from a cgi
> > (php3-cgi package) then performance would decrease due to 
> >   1. not having persistent connections 
> >   2. having to load the php interpreter on every request for every php
> >      page.
> > 
> 
> apache runs as the vhost user.  One apache daemon group per v host.
> 

Nope. It may be true for ip-based virtual hosts, but surely not for
namebased virtual hosts.

It changes uid and gid only for running cgi-s via suexec. It is sure.
You can check it the following way:

put a file which should be readable by the uid and gid that is set at the
virtual host, but not by www-data.www-data, into that virtual host's
webspace.

Try to retrieve it with a browser. You will get a 403 error (access
forbidden). 

Therefore it is sure that for normal pages the server and the apache
modules (eg php3) run as www-data.   

I tried it.

Regards,

Robert Varga

Reply to:

Follow-Ups:
- Re: secret data for php pages
  - From: "Sean 'Shaleh' Perry" <shaleh@valinux.com>

References:
- Re: secret data for php pages
  - From: "Sean 'Shaleh' Perry" <shaleh@valinux.com>

Prev by Date: Re: secret data for php pages
Next by Date: Re: secret data for php pages
Previous by thread: Re: secret data for php pages
Next by thread: Re: secret data for php pages
Index(es):
- Date
- Thread