On Tue, 18 Jun 2002 16:18:32 -0700
"Dale Schuster"
Hello list members,
I've just started to use the "~user/" directories in Apache. SuSE 7.1 configures Apache to run as wwwrun user and nogroup group. Apparently this user cannot access home directories on the filesystem, therefore cannot serve the pages properly. Only a forbidden error is issued.
If I allow read and execute permissions on the home directory and the public_html directory things work as expected, BUT this allows EVERYONE to browse the contents of home directories.
It seems SuSE would have prepared for this and developed a procedure to allow for the use of public_html directories. Can someone please enlighten me?
That's the way it works. Most other linux systems run apache as "nobody::nogroup" and you need to have at least 711 permissions on your /home and /public_html directories. It gets complicated even further if you want to run cgi programs. Then you need some 777 directories and files to let the web browser make and modify files in the cgi-bin. If you are very careful, you can let apache come into your /public_html but have reduced permissions on all your other directories under /home, like 700. That way apache can come into public_html, but your other directories are somewhat protected. Apache has a program called "suexec". If that is installed, when apache goes into home directories, it assumes the "user:group" of the owner of the home directory. This solves the problem above, but creates another.....because now the visitor coming in thru apache has YOUR rights and can change permissions on files etc. But you can keep your public_html at mode 700 if you want. So most people will use suexec to run a public_html directory of some "made-up user". Say you want to run a store, where the users need to write files; you can make a user called "store" and run suexec. There is another program called cgi-wrap which will do things similar as suexec. The way you turn on suexec is just to install it. If apache finds the suexec executable, it sets it up and creates a suexec.log. Remember this about permissions on directories and files. Write permission on directory means you can create a file in it. While write permissions on a file means you can modify it. You can have permissions setup so you can edit an existing file, but not create a new one. You can search a directory for a file, but not be able to read the file, with the proper permissions. These are the fine distinctions you need to get a handle on to setup apache for wwwrun::nogroup. If you run cgi thru apache, and want to get at a database like mysql, you need to have a mysql user "wwwrun", unless you are running suexec, Hope that sheds a bit of light.