 |
Apache and SuexecUserGroup
|
 |
[If you're not a CGI writer then you might want to stop reading now.]
With Apache 2.0 you can configure it so that when it's running your CGI it does it as a different user and group. This is Good Thing™ on a shared hosting platform, which is where most web sites are hosted, as it means someone else's script can't screw with your files.
I've had a strange problem recently however. A script took an image upload from a user and placed it in a directory under the document root. It was owned by the account user and had permissions of 600, so only that user could read (and write) it. No problem I thought given than the hosting company have Apache configured to run as that user but when you try to view the image from a web browser you get
|
Access forbidden!
You don't have permission to access the requested object. It is either
read-protected or not readable by the server.
If you think this is a server error, please contact the webmaster.
Error 403
|
Having actually read the documentation I now understand why. The ISP use the SuexecUserGroup directive and, as I said above, that's what ensures your CGI (in my case PHP) runs as the right user. However this only applies to CGI. As it says in the documentation "Non-CGI requests are still processes with the user specified in the User directive". So that's Apache's default user, hence the image can't be read.
So changing permission on the image to 644 fixed it.
| Tags: linux |
Written 03/07/08 |
Comment on this article
|
