From 64aa8201b51d98aaf6037986308b32ddf33b1926 Mon Sep 17 00:00:00 2001
From: robs
When FastCgiWrapper
is enabled, the location of static or external FastCGI application
- directives can be important. They inherit their user and group from the User
and
- Group
of the virtual server in which they were defined. User
and
- Group
directives should precede FastCGI application definitions. Note that this does
- not limit the FastCGI application to the virtual server in which they were defined, the
- application is allowed to service requests from any virtual server with the same user and group. If a
- request is received for a FastCGI application without an existing matching definition running with the
- correct user and group, a dynamic instance of the application is started with the correct user and group.
- This can lead to multiple copies of the same application running with different user/group. If this is a
- problem, preclude navigation to the application from other virtual servers or configure the virtual servers
- with the same User and Group.
+ directives can be important. Under Apache 1.3, they inherit their user and group from the user and
+ group
of the virtual server in which they are defined. User
and Group
directives must precede
+ FastCGI application definitions. Under Apache 2.0, the -user
and -group
options
+ to FastCgiServer and FastCgiExternalServer directives must be used (dynamic applications still use
+ the virtual server's user and group).
+
+ Note that access to (use of) FastCGI applications is not limited to the virtual server in + which they were defined. The application is used to service requests from any virtual server with the same + user and group. +
++ If a request is received for a FastCGI application without an existing matching definition already running + with the correct user and group, a dynamic instance of the application is started with the correct user and + group. This can lead to multiple copies of the same application running with different user/group. If this + is a problem, preclude navigation to the application from other virtual servers or configure the virtual + servers with the same User and Group.
See the Apache documentation for more information about suexec (make sure you fully understand the security -- 2.11.4.GIT