undefined | Better HN

0 pointsuggedal13y ago0 comments

"mpm-itk allows you to run each of your vhost under a separate uid and gid—in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts"

- http://mpm-itk.sesse.net/

0 comments

2 comments · 1 top-level

derefr13y ago· 1 in thread

I don't quite understand why that would be necessary. Nginx has no business accessing other users' files in the first place.

I mean, I understand why Apache needs to do it: with Apache, you have things like mod_php running in-process, so it makes sense to restrict Apache, running one of Bob's scripts, from accessing Alice's files.

But with Nginx, anything with "intelligence" runs out-of-process. What Nginx expects you to do is to run it as one user, but run each app server (in PHP terms, each FCGI socket daemon) as the user whose files that server should access. (Or, better yet, run the app server in an LXC container along with a bind mount to only the files it needs to access. Very Plan9y.)

FooBarWidget13y ago

It may still be a good idea for security reasons. Suppose that an Nginx process is exploited. If it runs under a certain user ID then the exploit likely does not travel past that user. You can make the Nginx user ID different from the actual user ID so that it only has read access.

j / k navigate · click thread line to collapse