mod_diffprivs RC3 review
Downloadmod_diffprivs makes Apache configurable to work as diffrent user/group and chroot env
|
|
mod_diffprivs makes Apache configurable to work as diffrent user/group and chroot env. for each VirtualServer and for ~user request. Designed mostly for ISP to make Apache secure.
This is a core directive in mod_diffprivs. It takes one, two or three arguments. First is an user on what Apache should call setuid() before serving file. This parameter can be given as username, or #uid. When You decide to use "username", then Apache will try to find this user in /etc/passwd file when starting. This parameter can be also "DoNothing", what mean don't call setuid(). Setuid can be call only for numbers equal or above hardcoded constant MIN_UID. You can change this value by editing file config.h.
Second parameter is a group on what apache should call setgid() before serving file. This parameter can be groupname or #gid. When You decide to use "groupname", then Apache will find this group in file /etc/groups when starting. This parameter can be also "DoNothing", what mean don't call setgid. Setgid() can be call only for numbers equal or above the hardcoded constant MIN_GID. You can change this value be editing file config.h Third parameter for directive "Privs" is a path to dir where chroot() will be call before serving file. When You use it, remember about changing all paths in this configuration section. For example, was:
DocumentRoot "/www/htdocs/tris"
ScriptAlias /cgi-bin/ "/www/htdocs/tris/cgi-bin"
and You want use
Privs nobody nobody "/www/htdocs/"
You must change DocumentRoot and ScriptAlias (and others) to:
DocumentRoot "/tris/"
ScriptAlias /cgi-bin/ "/tris/cgi-bin/"
This directory must be under hardcoded constant UNDER_HERE. You can change this value by editing (well.. guess) config.h file. This directive affects only requests like www.whatever.com/blablabla.html but not www.whatever.com/~user.
Requirements:
Apache 1.3.x
mod_diffprivs RC3 keywords