Index of /~knuta/mpm-itk

[ICO]NameLast modifiedSizeDescription

[DIR]Parent Directory  -  
[TXT]README.html03-May-2012 07:09 2.4K 
[TXT]mpm-itk-perdir-regex.patch06-Mar-2011 23:27 4.9K 

This patch is a supplement for the MPM-ITK patchset, adding the per-directory setting AssignUserFromPath <path-regex> <user-pattern> <group-pattern>

Using a regex for setting the user and/or group name might seem scary, but it has a number of uses in cases where a hard-coded list of <Directory> clauses would be implactical:

This patch is against MPM-ITK version 2.2.11-02. You might have to kneed it a little if you are using a later version of MPM-ITK.

Please Note: This patch has only been briefly tested. Remember to test it rigorously before applying it in a production environment!

Examples

	<Directory /home>
		AssignUserFromPath "^/home/([^/]+)" www-data $1-web
	</Directory>

Some notes on security

Note that these paches (just like the normal MPM-ITK) will accept whatever user you give them. Thus, if you create a folder /home/root and use

    AssignUserFromPath "^/home/([^/]+)" $1 $1
as the regex, Apache will run as root. You can avoid this by not creating such a folder, or by always having a special suffix for your web users (I recommend the latter). Having configuration like
    AssignUserFromPath "^/home/([^/]+)" $1-web $1-web
will ensure that the user name ends with “-web”, so that /home/root would make the user run as «root-web», eliminating the risk of accidentally running the web server as root or any other system user. This can be desirable for other reasons as well, since users often want to have some data in their home directory which is not accessible by Apache. In such cases, having a special «web» group for web files will allow the user “foo” to set the group “foo-web” for the files accessible by the web server, while other files in the home directory can be private. For a setup where the user has a separate group for web files, I would recommend a setting like
   AssignUserFromPath "^/home/([^/]+)" www-data $1-web
and chgrouping /home/foo/public_html to foo-web. Also make sure that only the owner and group can access the files.


-- Knut Auvor Grythe