[vox-tech] Apache and group permissions
Micah Cowan
micah at cowan.name
Fri Oct 6 14:57:19 PDT 2006
On Fri, 2006-10-06 at 14:47 -0700, Micah Cowan wrote:
> On Fri, 2006-10-06 at 14:38 -0700, Rod Roark wrote:
> > Replying to myself:
> >
> > On Friday 06 October 2006 13:35, Rod Roark wrote:
> > > I have a very puzzling (to me) problem. I'm working with a Mandriva
> > > box running Apache 2.0.54. It runs as user nobody with its group ID
> > > set to -1 -- i.e. httpd.conf includes:
> > >
> > > User nobody
> > > Group #-1
> >
> > It turns out if I change it to "Group nogroup", everything works.
> >
> > So is setgid(-1) supposed to disable group permissions? I have never
> > seen that documented....
>
> No, it would probably set the group id to 65535 on most systems (which
> is frequently called "nobody").
>
> The problem is that the groups listed in /etc/group are "supplementary"
> groups, and a simple setgid or setuid don't by themselves load the
> supplementary group information for the new user into the kernel's
> process table for that process. Something else is required, but I'm not
> entirely sure what that something is for non-interactive scripts.
The command "newgrp" is used to "log in" as a new group. This can be
used to spawn a new shell with the specified group. For instance,
running a shell-script CGI program, you could probably get it to do what
you want by changing the shebang line from:
#!/bin/sh
to:
#!/usr/bin/newgrp faxgroup
newgrp uses the system call setgroups() to accomplish what it needs to.
I'm still not sure what the appropriate way to get this working in PHP
would be, though.
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
More information about the vox-tech
mailing list