1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 This file is generated from xml source: DO NOT EDIT
8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 <title>mod_privileges - Apache HTTP Server Version 2.5</title>
11 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
12 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
13 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
14 <script src="../style/scripts/prettify.min.js" type="text/javascript">
17 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
19 <div id="page-header">
20 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
21 <p class="apache">Apache HTTP Server Version 2.5</p>
22 <img alt="" src="../images/feather.png" /></div>
23 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
25 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
26 <div id="page-content">
27 <div id="preamble"><h1>Apache Module mod_privileges</h1>
29 <p><span>Available Languages: </span><a href="../en/mod/mod_privileges.html" title="English"> en </a></p>
31 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Support for Solaris privileges and for running virtual hosts
32 under different user IDs.</td></tr>
33 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
34 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>privileges_module</td></tr>
35 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_privileges.c</td></tr>
36 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and up, on Solaris 10 and
37 OpenSolaris platforms</td></tr></table>
40 <p>This module enables different Virtual Hosts to run with different
41 Unix <var>User</var> and <var>Group</var> IDs, and with different
42 <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">Solaris Privileges</a>. In particular, it offers a solution to the
43 problem of privilege separation between different Virtual Hosts, first
44 promised by the abandoned perchild MPM. It also offers other security
47 <p>Unlike perchild, <code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code>
48 is not itself an MPM. It works <em>within</em> a processing model to
49 set privileges and User/Group <em>per request</em> in a running process.
50 It is therefore not compatible with a threaded MPM, and will refuse
53 <p><code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> raises security issues similar to
54 those of <a href="../suexec.html">suexec</a>. But unlike suexec,
55 it applies not only to CGI programs but to the entire request processing
56 cycle, including in-process applications and subprocesses.
57 It is ideally suited to running PHP applications under <strong>mod_php</strong>,
58 which is also incompatible with threaded MPMs. It is also well-suited
59 to other in-process scripting applications such as <strong>mod_perl</strong>,
60 <strong>mod_python</strong>, and <strong>mod_ruby</strong>, and to
61 applications implemented in C as apache modules where privilege
62 separation is an issue.</p>
65 <div id="quickview"><h3>Topics</h3>
67 <li><img alt="" src="../images/down.gif" /> <a href="#security">Security Considerations</a></li>
68 </ul><h3 class="directives">Directives</h3>
70 <li><img alt="" src="../images/down.gif" /> <a href="#dtraceprivileges">DTracePrivileges</a></li>
71 <li><img alt="" src="../images/down.gif" /> <a href="#privilegesmode">PrivilegesMode</a></li>
72 <li><img alt="" src="../images/down.gif" /> <a href="#vhostcgimode">VHostCGIMode</a></li>
73 <li><img alt="" src="../images/down.gif" /> <a href="#vhostcgiprivs">VHostCGIPrivs</a></li>
74 <li><img alt="" src="../images/down.gif" /> <a href="#vhostgroup">VHostGroup</a></li>
75 <li><img alt="" src="../images/down.gif" /> <a href="#vhostprivs">VHostPrivs</a></li>
76 <li><img alt="" src="../images/down.gif" /> <a href="#vhostsecure">VHostSecure</a></li>
77 <li><img alt="" src="../images/down.gif" /> <a href="#vhostuser">VHostUser</a></li>
79 <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_privileges">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_privileges">Report a bug</a></li></ul><h3>See also</h3>
81 <li><a href="#comments_section">Comments</a></li></ul></div>
82 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
84 <h2><a name="security" id="security">Security Considerations</a></h2>
86 <p><code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> introduces new security concerns
87 in situations where <strong>untrusted code</strong> may be run
88 <strong>within the webserver process</strong>. This applies to
89 untrusted modules, and scripts running under modules such as
90 mod_php or mod_perl. Scripts running externally (e.g. as CGI
91 or in an appserver behind mod_proxy or mod_jk) are NOT affected.</p>
93 <p>The basic security concerns with mod_privileges are:</p>
94 <ul><li>Running as a system user introduces the same security issues
95 as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
96 <li>A privileges-aware malicious user extension (module or script)
97 could escalate its privileges to anything available to the
98 httpd process in any virtual host. This introduces new risks
99 if (and only if) mod_privileges is compiled with the
100 <var>BIG_SECURITY_HOLE</var> option.</li>
101 <li>A privileges-aware malicious user extension (module or script)
102 could escalate privileges to set its user ID to another system
103 user (and/or group).</li>
106 <p>The <code class="directive">PrivilegesMode</code> directive allows you to
107 select either <var>FAST</var> or <var>SECURE</var> mode. You can
108 mix modes, using <var>FAST</var> mode for trusted users and
109 fully-audited code paths, while imposing SECURE mode where an
110 untrusted user has scope to introduce code.</p>
111 <p>Before describing the modes, we should also introduce the target
112 use cases: Benign vs Hostile. In a benign situation, you want to
113 separate users for their convenience, and protect them and the server
114 against the risks posed by honest mistakes, but you trust your users
115 are not deliberately subverting system security. In a hostile
116 situation - e.g. commercial hosting - you may have users deliberately
117 attacking the system or each other.</p>
120 <dd>In <var>FAST</var> mode, requests are run in-process with the
121 selected uid/gid and privileges, so the overhead is negligible.
122 This is suitable for benign situations, but is not secure against an
123 attacker escalating privileges with an in-process module or script.</dd>
125 <dd>A request in <var>SECURE</var> mode forks a subprocess, which
126 then drops privileges. This is a very similar case to running CGI
127 with suexec, but for the entire request cycle, and with the benefit
128 of fine-grained control of privileges.</dd>
130 <p>You can select different <code class="directive">PrivilegesMode</code>s for
131 each virtual host, and even in a directory context within a virtual
132 host. <var>FAST</var> mode is appropriate where the user(s) are
133 trusted and/or have no privilege to load in-process code.
134 <var>SECURE</var> mode is appropriate to cases where untrusted code
135 might be run in-process. However, even in <var>SECURE</var> mode,
136 there is no protection against a malicious user who is able to
137 introduce privileges-aware code running <em>before the start of the
138 request-processing cycle.</em></p>
141 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
142 <div class="directive-section"><h2><a name="DTracePrivileges" id="DTracePrivileges">DTracePrivileges</a> <a name="dtraceprivileges" id="dtraceprivileges">Directive</a></h2>
143 <table class="directive">
144 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines whether the privileges required by dtrace are enabled.</td></tr>
145 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>DTracePrivileges On|Off</code></td></tr>
146 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>DTracePrivileges Off</code></td></tr>
147 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
148 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
149 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
150 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
151 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
153 <p>This server-wide directive determines whether Apache will run with
154 the <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> required to run
155 <a href="http://sosc-dr.sun.com/bigadmin/content/dtrace/">dtrace</a>.
156 Note that <var>DTracePrivileges On</var> will not in itself
157 activate DTrace, but <var>DTracePrivileges Off</var> will prevent
161 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
162 <div class="directive-section"><h2><a name="PrivilegesMode" id="PrivilegesMode">PrivilegesMode</a> <a name="privilegesmode" id="privilegesmode">Directive</a></h2>
163 <table class="directive">
164 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Trade off processing speed and efficiency vs security against
165 malicious privileges-aware code.</td></tr>
166 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>PrivilegesMode FAST|SECURE|SELECTIVE</code></td></tr>
167 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>PrivilegesMode FAST</code></td></tr>
168 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory</td></tr>
169 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
170 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
171 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
172 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
173 </table><p>This directive trades off performance vs security against
174 malicious, privileges-aware code. In <var>SECURE</var> mode, each request
175 runs in a secure subprocess, incurring a substantial performance penalty.
176 In <var>FAST</var> mode, the server is not protected against escalation
177 of privileges as discussed above.</p>
178 <p>This directive differs slightly between a <code><Directory></code>
179 context (including equivalents such as Location/Files/If) and a
180 top-level or <code><VirtualHost></code>.</p>
181 <p>At top-level, it sets a default that will be inherited by virtualhosts.
182 In a virtual host, FAST or SECURE mode acts on the entire
183 HTTP request, and any settings in a <code><Directory></code>
184 context will be <strong>ignored</strong>. A third pseudo-mode
185 SELECTIVE defers the choice of FAST vs SECURE to directives in a
186 <code><Directory></code> context.</p>
187 <p>In a <code><Directory></code> context, it is applicable only
188 where SELECTIVE mode was set for the VirtualHost. Only
189 FAST or SECURE can be set in this context (SELECTIVE would be
191 <div class="warning"><h3>Warning</h3>
192 Where SELECTIVE mode is selected for a virtual host, the activation
193 of privileges must be deferred until <em>after</em> the mapping
194 phase of request processing has determined what
195 <code><Directory></code> context applies to the request.
196 This might give an attacker opportunities to introduce
197 code through a <code class="directive"><a href="../mod/mod_rewrite.html#rewritemap">RewriteMap</a></code>
198 running at top-level or <code><VirtualHost></code> context
199 <em>before</em> privileges have been dropped and userid/gid set.
203 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
204 <div class="directive-section"><h2><a name="VHostCGIMode" id="VHostCGIMode">VHostCGIMode</a> <a name="vhostcgimode" id="vhostcgimode">Directive</a></h2>
205 <table class="directive">
206 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines whether the virtualhost can run
207 subprocesses, and the privileges available to subprocesses.</td></tr>
208 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostCGIMode On|Off|Secure</code></td></tr>
209 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>VHostCGIMode On</code></td></tr>
210 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
211 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
212 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
213 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
214 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
216 <p>Determines whether the virtual host is allowed to run fork and exec,
217 the <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> required to run subprocesses. If this is set to
218 <var>Off</var> the virtualhost is denied the privileges and will not
219 be able to run traditional CGI programs or scripts under the traditional
220 <code class="module"><a href="../mod/mod_cgi.html">mod_cgi</a></code>, nor similar external programs such as those
221 created by <code class="module"><a href="../mod/mod_ext_filter.html">mod_ext_filter</a></code> or
222 <code class="directive"><a href="../mod/mod_rewrite.html#rewritemap">RewriteMap</a></code> <var>prog</var>.
223 Note that it does not prevent CGI programs running under alternative
224 process and security models such as <a href="https://httpd.apache.org/mod_fcgid/">mod_fcgid</a>, which is a recommended solution in Solaris.</p>
225 <p>If set to <var>On</var> or <var>Secure</var>, the virtual host
226 is permitted to run external programs and scripts as above.
227 Setting <code class="directive">VHostCGIMode</code> <var>Secure</var> has
228 the effect of denying privileges to the subprocesses, as described
229 for <code class="directive">VHostSecure</code>.</p>
232 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
233 <div class="directive-section"><h2><a name="VHostCGIPrivs" id="VHostCGIPrivs">VHostCGIPrivs</a> <a name="vhostcgiprivs" id="vhostcgiprivs">Directive</a></h2>
234 <table class="directive">
235 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Assign arbitrary privileges to subprocesses created
236 by a virtual host.</td></tr>
237 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</code></td></tr>
238 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>None</code></td></tr>
239 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
240 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
241 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
242 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
243 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM)
244 and when <code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> is compiled with the
245 <var>BIG_SECURITY_HOLE</var> compile-time option.</td></tr>
247 <p><code class="directive">VHostCGIPrivs</code> can be used to assign arbitrary <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> to subprocesses created by a virtual host, as discussed
248 under <code class="directive">VHostCGIMode</code>. Each <var>privilege-name</var>
249 is the name of a Solaris privilege, such as <var>file_setid</var>
250 or <var>sys_nfs</var>.</p>
252 <p>A <var>privilege-name</var> may optionally be prefixed by
253 + or -, which will respectively allow or deny a privilege.
254 If used with neither + nor -, all privileges otherwise assigned
255 to the virtualhost will be denied. You can use this to override
256 any of the default sets and construct your own privilege set.</p>
258 <div class="warning"><h3>Security</h3>
259 <p>This directive can open huge security holes in apache subprocesses,
260 up to and including running them with root-level powers. Do not
261 use it unless you fully understand what you are doing!</p></div>
264 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
265 <div class="directive-section"><h2><a name="VHostGroup" id="VHostGroup">VHostGroup</a> <a name="vhostgroup" id="vhostgroup">Directive</a></h2>
266 <table class="directive">
267 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the Group ID under which a virtual host runs.</td></tr>
268 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostGroup <var>unix-groupid</var></code></td></tr>
269 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Inherits the group id specified in
270 <code class="directive"><a href="../mod/mod_unixd.html#group">Group</a></code></code></td></tr>
271 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
272 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
273 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
274 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
275 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
277 <p>The <code class="directive">VHostGroup</code> directive sets the Unix group
278 under which the server will process requests to a virtualhost.
279 The group is set before the request is processed and reset afterwards
280 using <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">Solaris Privileges</a>. Since the setting applies to the
281 <em>process</em>, this is not compatible with threaded MPMs.</p>
282 <p><var>Unix-group</var> is one of:</p>
284 <dt>A group name</dt>
285 <dd>Refers to the given group by name.</dd>
287 <dt><code>#</code> followed by a group number.</dt>
288 <dd>Refers to a group by its number.</dd>
291 <div class="warning"><h3>Security</h3>
292 <p>This directive cannot be used to run apache as root!
293 Nevertheless, it opens potential security issues similar to
294 those discussed in the <a href="../suexec.html">suexec</a>
295 documentation.</p></div>
299 <li><code class="directive"><a href="../mod/mod_unixd.html#group">Group</a></code></li>
300 <li><code class="directive"><a href="../mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code></li>
303 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
304 <div class="directive-section"><h2><a name="VHostPrivs" id="VHostPrivs">VHostPrivs</a> <a name="vhostprivs" id="vhostprivs">Directive</a></h2>
305 <table class="directive">
306 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Assign arbitrary privileges to a virtual host.</td></tr>
307 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</code></td></tr>
308 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>None</code></td></tr>
309 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
310 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
311 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
312 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
313 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM)
314 and when <code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> is compiled with the
315 <var>BIG_SECURITY_HOLE</var> compile-time option.</td></tr>
317 <p><code class="directive">VHostPrivs</code> can be used to assign arbitrary <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> to a virtual host. Each <var>privilege-name</var>
318 is the name of a Solaris privilege, such as <var>file_setid</var>
319 or <var>sys_nfs</var>.</p>
321 <p>A <var>privilege-name</var> may optionally be prefixed by
322 + or -, which will respectively allow or deny a privilege.
323 If used with neither + nor -, all privileges otherwise assigned
324 to the virtualhost will be denied. You can use this to override
325 any of the default sets and construct your own privilege set.</p>
327 <div class="warning"><h3>Security</h3>
328 <p>This directive can open huge security holes in apache, up to
329 and including running requests with root-level powers. Do not
330 use it unless you fully understand what you are doing!</p></div>
333 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
334 <div class="directive-section"><h2><a name="VHostSecure" id="VHostSecure">VHostSecure</a> <a name="vhostsecure" id="vhostsecure">Directive</a></h2>
335 <table class="directive">
336 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines whether the server runs with enhanced security
337 for the virtualhost.</td></tr>
338 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostSecure On|Off</code></td></tr>
339 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>VHostSecure On</code></td></tr>
340 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
341 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
342 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
343 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
344 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
346 <p>Determines whether the virtual host processes requests with
347 security enhanced by removal of <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">Privileges</a> that are rarely needed in a webserver, but which are
348 available by default to a normal Unix user and may therefore
349 be required by modules and applications. It is recommended that
350 you retain the default (On) unless it prevents an application running.
351 Since the setting applies to the <em>process</em>, this is not
352 compatible with threaded MPMs.</p>
353 <div class="note"><h3>Note</h3>
354 <p>If <code class="directive">VHostSecure</code> prevents an application
355 running, this may be a warning sign that the application should be
356 reviewed for security.</p></div>
359 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
360 <div class="directive-section"><h2><a name="VHostUser" id="VHostUser">VHostUser</a> <a name="vhostuser" id="vhostuser">Directive</a></h2>
361 <table class="directive">
362 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the User ID under which a virtual host runs.</td></tr>
363 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostUser <var>unix-userid</var></code></td></tr>
364 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Inherits the userid specified in
365 <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code></code></td></tr>
366 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
367 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
368 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
369 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
370 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
372 <p>The <code class="directive">VHostUser</code> directive sets the Unix userid
373 under which the server will process requests to a virtualhost.
374 The userid is set before the request is processed and reset afterwards
375 using <a href="http://sosc-dr.sun.com/bigadmin/features/articles/least_privilege.jsp">Solaris Privileges</a>. Since the setting applies to the
376 <em>process</em>, this is not compatible with threaded MPMs.</p>
377 <p><var>Unix-userid</var> is one of:</p>
380 <dd>Refers to the given user by name.</dd>
382 <dt><code>#</code> followed by a user number.</dt>
383 <dd>Refers to a user by its number.</dd>
386 <div class="warning"><h3>Security</h3>
387 <p>This directive cannot be used to run apache as root!
388 Nevertheless, it opens potential security issues similar to
389 those discussed in the <a href="../suexec.html">suexec</a>
390 documentation.</p></div>
394 <li><code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code></li>
395 <li><code class="directive"><a href="../mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code></li>
399 <div class="bottomlang">
400 <p><span>Available Languages: </span><a href="../en/mod/mod_privileges.html" title="English"> en </a></p>
401 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
402 <script type="text/javascript"><!--//--><![CDATA[//><!--
403 var comments_shortname = 'httpd';
404 var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_privileges.html';
406 if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
407 d.write('<div id="comments_thread"><\/div>');
408 var s = d.createElement('script');
409 s.type = 'text/javascript';
411 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
412 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
415 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
417 })(window, document);
418 //--><!]]></script></div><div id="footer">
419 <p class="apache">Copyright 2016 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
420 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
421 if (typeof(prettyPrint) !== 'undefined') {