[plug] [OT] Password security with shared web hosting

James Devenish devenish at guild.uwa.edu.au
Wed Aug 25 22:53:20 WST 2004 

In message <20040825135726.GA29836 at cp.yi.org>
on Wed, Aug 25, 2004 at 09:57:26PM +0800, Cameron Patrick wrote:
> James Devenish wrote:
> > Thanks for the idea. I categorise this under the 'suexec' category of
> > activities, which is fine if you can have such set-uid executables.
> 
> Ahh, 'suexec' was the mod_something that I was trying to remember the
> name of.  Looking at the docs just now, why is it not suitable for
> what you want?  While I've never tried it (and don't use PHP either)
> presumably it can run the PHP interpreter setuid just like it can for
> any other CGI script?

As you have said, it applies to CGI, and that rules out non-CGI. Very
little PHP is done with CGI, as it is inefficient to do so. Most people
use "mod_php", which has a number of advantages, including the avoidance
of CGI :-) Many turnkey PHP solutions are just a set of PHP scripts,
and aren't inherently executable (you'd at least need to add
#!/path/to/php to the top of each file, and set its executable file
permissions like regular CGI, I assume). (BTW, I shouldn't have say
"set-uid executables", as that isn't really what I meant to say.)

In message <20040825140100.GD21943 at cp.yi.org>
on Wed, Aug 25, 2004 at 10:01:00PM +0800, Cameron Patrick wrote:
> PS. "automically" ?  Tsk, tsk.

Yep. Automatic *and* atomic <cough, splutter> ;-)

In message <20040825140100.GD21943 at cp.yi.org>
on Wed, Aug 25, 2004 at 10:01:00PM +0800, Cameron Patrick wrote:
> The suexec docs don't mention doing it by file ownership,

To be honest, it's a long time since I last administered suexec but for
some reason I had it in my mind that it was basically all based on file
ownership.

> but they do mention su'ing based on virtual hosts and user home
> directories, which I'd imagine would cover a lot of situations.

And not a lot of others. Thanks for mentioning it, but it's not
really a "general" solution unless you make the sacrifices solely
to support suexec. Though maybe there is no nice solution.

More information about the plug mailing list