mod_vhost_alias + suEXEC:自动选择 uid/gid

tag-icon tag-icon apache-2.2 virtualhost php5 suexec
mod_vhost_alias + suEXEC:自动选择 uid/gid

我正在尝试配置Debian 6.0.4适用于大规模共享主机PHP5. 软件包apache2-mpm-worker libapache2-mod-fcgid apache2-suexec已安装。

我成功加载mod_vhost_aliassuexec通过目录管理我的域,然后我将此配置放入/etc/apache2/sites-enabled/001-vhostalias

NameVirtualHost *:80
ServerName web-test.mynet.lan
DocumentRoot /var/www/

SuexecUserGroup www-data www-data    

UseCanonicalName    Off
VirtualDocumentRoot /var/www/www.%2+/public_html/
VirtualScriptAlias /var/www.%2+/cgi-bin/

DirectoryIndex index.html index.htm index.shtml index.php   

ScriptAlias /__php5-cgi/ "/usr/local/lib/custom-cgi/php5-cgi/"
Action php5-script /__php5-cgi/php5-cgi
AddHandler php5-script .php

有了以上这些,pe,上线一个名为的域名www.test-a.com需要:

  • 一个adduser test-a.com(强迫坏名声)
  • mkdir -p /var/www/www.test-a.com/public_html并输入数据
  • 文件 achmod和 achown一切正常...

没有 suEXEC 的情况下,我进行了一些简单的 PHP 测试,它可以作为 uid/gid 正常工作www-data。但现在我需要为隔离域启用 suEXEC...

问题是:我怎么才能告诉执行指令自动获取正确的 uid/gid?

我正在使用默认的 suEXEC 配置:

root@web-test:/var/www# /usr/lib/apache2/suexec -V
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www-data"
 -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"

但它崩溃了:

root@web-test:/var/www# tail /var/log/apache2/suexec.log 
[2012-05-05 18:31:48]: cannot run as forbidden uid (33/php5-cgi)
[2012-05-05 18:34:24]: uid: (33/www-data) gid: (33/www-data) cmd: php5-cgi

笔记:我以前用过,apache2-mpm-itk但是在 400-500 个 VirtualHost 定义之后就相当不稳定了,尤其是在 上会崩溃apache2ctl restart|graceful"

谢谢

答案1

我建议使用 mpm-itk

Package: apache2-mpm-itk
Description: multiuser MPM for Apache 2.2
 The ITK Multi-Processing Module (MPM) works in about the same way as the classical "prefork" module (that is, without threads),
 except that it allows you to constrain each individual vhost to a particular system user. This allows you to run several different
 web sites on a single server without worrying that they will be able to read each others' files. This is a third-party MPM that is
 not included in the normal Apache httpd.

 Please note that this MPM is somewhat less tested than the MPMs that come with Apache itself.

附加修补您可以动态分配 uid/gid。我使用这种解决方案大约 2 年了,没有任何问题。

<VirtualHost *:80>
    ServerName www.example.net
    ServerAlias *.example.net
    UseCanonicalName Off

    VirtualDocumentRoot /vhosts/example.net/%1
    DirectoryIndex index.php index.html

    AssignUserFromPath "^/vhosts/example.net/([^/]+)" mvh_$1 mvh_$1

    <Directory /vhosts/example.net>
        Options -Indexes +Includes
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

答案2

Suexec用户组指令似乎不支持变量,因此没有简单的方法来实现你想要的效果。此邮件列表帖子也说这是不可能的,而且CGI包装应该改用。我能想到的唯一其他方法是滥用 suEXEC 的mod_userdir 集成并以某种方式将请求重写到用户目录,但这不太可能起到很好的作用。

相关内容