Article 13671 at 08/08/01 09:28:44 From: bq (at mark) aviaweb.com Subject: [coba-e:13671] Re: apache suexec

Index: [Article Count Order] [Thread]
Date:  Thu, 31 Jul 2008 20:28:31 -0400
From:  "Stephanie Sullivan" <bq (at mark) aviaweb.com>
Subject:  [coba-e:13671] Re: apache suexec
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <001a01c8f36d$8718bf70$954a3e50$@com>
In-Reply-To:  <48923324.8090704 (at mark) dogsbody.org>
References:  <0b9201c8f2e4$d3d005f0$967da8c0 (at mark) thomasferrari> <722224.90970.qm (at mark) web65612.mail.ac4.yahoo.com> <00a001c8f308$13d5b640$3b8122c0$ (at mark) com> <48923324.8090704 (at mark) dogsbody.org>
X-Mail-Count: 13671

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> -----Original Message-----
> From: Dogsbody [mailto:dan (at mark) dogsbody.org]
> Sent: Thursday, July 31, 2008 5:48 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:13670] Re: apache suexec
> 
> 
> > The issue as I see it (and I have seen this too) is when files are
> created
> > via apache (as in php creating a file) they are created with the
> user and
> > group of apache. In the RaQ4 files were created with the user of
> httpd and
> > the group of the site.
> 
> This is exactly the issue!!
> 
> Now I could be wrong here but I would swear that this used to work
> correctly (like the Raq4) in *very* early releases of BQ!  I *think*
> this broke with an httpd update from CentOS or it could of been when
> we
> started using CentOS (that long ago).
> 
> It has to be a config setting somewhere although I'm wondering about
> Thomas's find that suexec seems to be compiled with a wrong document
> root!?  Can suexec's document root be set via a variable without
> recompiling?
> 
> Sorry for questions and not answers, I am a few days away from a big
> charity marathon I organise and don't have any time.
> 
> Regards, Dan

Dan,

I have a partial solution for you to try:
In /etc/httpd/conf/httpd.conf change
Group apache
to
#Group apache
And /etc/init.d/httpd restart

This seems to be working for me to get the group ownership correct. It does
not address the wacky umask issue and the files are created as owner-only. I
have not come across anything it breaks, but no promises.

I did not find any Apache or PHP directive to set a default umask for files
created by php or apache. Argh. PHP does have functions to set the default
umask for a the execution of a script, but that's about as close as it seems
to get.

I hope I missed something easy, but what the hay. I would very much like to
see the default umask for files created about /home/sites/* to be group
writable. Maybe it's a bad idea from a security perspective but I haven't
pondered this yet...

	Thanks,
		-Stephanie


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: us-ascii

wj8DBQFIkli1RmFh0h8+YHsRAvn3AJsGX6jZRupsyK72x1NQOrLF22X/hQCdH9Fr
yzWdXOe7I36y9jwu97POnVw=
=Fclm
-----END PGP SIGNATURE-----