Is it possible to execute perl CGI scripts owned by two different users on the same virtual account?
I am not really sure I am asking this question correct so let me give you some background and a specific example:
We have a virtual hosting account with a Hosting company that I don't want to mention. UserA is the main user account we received when we signed up. We can upload and use scripts on this account as UserA without any problems. We had the host add a second FTP & SSH account which we will call UserB. I can upload files as UserB and I can execute scripts in a shell as UserB but I get a 500 error when trying to run a script by UserB in a browser. Is this a limitation or security issue with Apache? Is it possible to do what I want to do?
This is on a RehHat 6.2 server to the best of my knowledge. UserB is in the same group as UserA if that helps.
Thanks
~Chas
jtan15
05-21-2001, 02:58 PM
I do not believe it is possible to safely do this. In the Apache vhost, you must define a "user" who owns the account. Correct me if I am wrong, but you cannot specify two users.
Your best bet would be to either ask the company to setup another vhost for you, or chown UserB data as UserA.
Thanks, Vincent.
I thought about trying to chown the files from UserB to UserA but that defeats my purpose. I installed a Gossamer-Threads.com product called FileMan that users can use to upload files to the site and I wanted those files uploaded as UserB. This way I can block any perl scripts they upload from accessing any of the files that belong to UserA. If I had two seperate virtual accounts on the same server would I be able to upload files from UserB into a UserA directory?
Thanks again for your answer, Vincent.
~Chas
Farmer
05-22-2001, 11:33 PM
There is nothing special about the restriction its a standard Linux security.
Basically if you want other users to execute the script through the browser you would have to change the permissions of the files (rwx)
If you want other users to open up files through the shell then I suggest you chown the files to the appropriate user.
cperciva
05-23-2001, 12:15 AM
You'll need to get your web host to change httpd.conf settings for you.
This is one of the more irksome things about suexec... in their paranoia they added more security tests than absolutely necessary, thereby causing problems like this.
Thanks for the replies!
I have already played around with permissions on the files and directories but that doesn't work. I did look into the docs at apache.org but I wasn't able to get much out of it.
cperciva, do you know of any virtual hosts that would be willing to make the needed changes to the httpd.conf? I get lucky if the host I use now just responds to one of my support e-mails so I don't think this will be an option with them.
Thanks again
~Chas
c-piper@pacbell.net
cperciva
05-23-2001, 01:13 AM
Originally posted by Chas
cperciva, do you know of any virtual hosts that would be willing to make the needed changes to the httpd.conf? I get lucky if the host I use now just responds to one of my support e-mails so I don't think this will be an option with them.
The changes necessary would be to create a second VirtualHost entry in httpd.conf; however you'd also have to have separate directories for the two users (suexec requirement).
I can't say what web hosts would do this; it isn't something that many people would need or ask for so I'd imagine that most would just be confused and not understand.
(FWIW, the alternative is to patch suexec to be less paranoid in its security checks but I can't imagine that *any* web host is going to be willing to apply an un-audited 3rd party patch to a suid script.)
