1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 <title>mod_privileges - Apache HTTP Server</title>
9 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
12 <script src="../style/scripts/prettify.js" type="text/javascript">
15 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
17 <div id="page-header">
18 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
19 <p class="apache">Apache HTTP Server Version 2.5</p>
20 <img alt="" src="../images/feather.gif" /></div>
21 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
23 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
24 <div id="page-content">
25 <div id="preamble"><h1>Apache Module mod_privileges</h1>
27 <p><span>Available Languages: </span><a href="../en/mod/mod_privileges.html" title="English"> en </a></p>
29 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Support for Solaris privileges and for running virtual hosts
30 under different user IDs.</td></tr>
31 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
32 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>privileges_module</td></tr>
33 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and up, on Solaris 10 and
34 OpenSolaris platforms</td></tr></table>
37 <p>This module enables different Virtual Hosts to run with different
38 Unix <var>User</var> and <var>Group</var> IDs, and with different
39 <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">Solaris Privileges</a>. In particular, it offers a solution to the
40 problem of privilege separation between different Virtual Hosts, first
41 promised by the abandoned perchild MPM. It also offers other security
44 <p>Unlike perchild, <code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code>
45 is not itself an MPM. It works <em>within</em> a processing model to
46 set privileges and User/Group <em>per request</em> in a running process.
47 It is therefore not compatible with a threaded MPM, and will refuse
50 <p><code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> raises security issues similar to
51 those of <a href="../suexec.html">suexec</a>. But unlike suexec,
52 it applies not only to CGI programs but to the entire request processing
53 cycle, including in-process applications and subprocesses.
54 It is ideally suited to running PHP applications under <strong>mod_php</strong>,
55 which is also incompatible with threaded MPMs. It is also well-suited
56 to other in-process scripting applications such as <strong>mod_perl</strong>,
57 <strong>mod_python</strong>, and <strong>mod_ruby</strong>, and to
58 applications implemented in C as apache modules where privilege
59 separation is an issue.</p>
62 <div id="quickview"><h3 class="directives">Directives</h3>
64 <li><img alt="" src="../images/down.gif" /> <a href="#dtraceprivileges">DTracePrivileges</a></li>
65 <li><img alt="" src="../images/down.gif" /> <a href="#privilegesmode">PrivilegesMode</a></li>
66 <li><img alt="" src="../images/down.gif" /> <a href="#vhostcgimode">VHostCGIMode</a></li>
67 <li><img alt="" src="../images/down.gif" /> <a href="#vhostcgiprivs">VHostCGIPrivs</a></li>
68 <li><img alt="" src="../images/down.gif" /> <a href="#vhostgroup">VHostGroup</a></li>
69 <li><img alt="" src="../images/down.gif" /> <a href="#vhostprivs">VHostPrivs</a></li>
70 <li><img alt="" src="../images/down.gif" /> <a href="#vhostsecure">VHostSecure</a></li>
71 <li><img alt="" src="../images/down.gif" /> <a href="#vhostuser">VHostUser</a></li>
75 <li><img alt="" src="../images/down.gif" /> <a href="#security">Security Considerations</a></li>
77 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
79 <h2><a name="security" id="security">Security Considerations</a></h2>
81 <p><code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> introduces new security concerns
82 in situations where <strong>untrusted code</strong> may be run
83 <strong>within the webserver process</strong>. This applies to
84 untrusted modules, and scripts running under modules such as
85 mod_php or mod_perl. Scripts running externally (e.g. as CGI
86 or in an appserver behind mod_proxy or mod_jk) are NOT affected.</p>
88 <p>The basic security concerns with mod_privileges are:</p>
89 <ul><li>Running as a system user introduces the same security issues
90 as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
91 <li>A privileges-aware malicious user extension (module or script)
92 could escalate its privileges to anything available to the
93 httpd process in any virtual host. This introduces new risks
94 if (and only if) mod_privileges is compiled with the
95 <var>BIG_SECURITY_HOLE</var> option.</li>
96 <li>A privileges-aware malicious user extension (module or script)
97 could escalate privileges to set its user ID to another system
98 user (and/or group).</li>
101 <p>The <code class="directive">PrivilegesMode</code> directive allows you to
102 select either <var>FAST</var> or <var>SECURE</var> mode. You can
103 mix modes, using <var>FAST</var> mode for trusted users and
104 fully-audited code paths, while imposing SECURE mode where an
105 untrusted user has scope to introduce code.</p>
106 <p>Before describing the modes, we should also introduce the target
107 use cases: Benign vs Hostile. In a benign situation, you want to
108 separate users for their convenience, and protect them and the server
109 against the risks posed by honest mistakes, but you trust your users
110 are not deliberately subverting system security. In a hostile
111 situation - e.g. commercial hosting - you may have users deliberately
112 attacking the system or each other.</p>
115 <dd>In <var>FAST</var> mode, requests are run in-process with the
116 selected uid/gid and privileges, so the overhead is negligible.
117 This is suitable for benign situations, but is not secure against an
118 attacker escalating privileges with an in-process module or script.</dd>
120 <dd>A request in <var>SECURE</var> mode forks a subprocess, which
121 then drops privileges. This is a very similar case to running CGI
122 with suexec, but for the entire request cycle, and with the benefit
123 of fine-grained control of privileges.</dd>
125 <p>You can select different <code class="directive">PrivilegesMode</code>s for
126 each virtual host, and even in a directory context within a virtual
127 host. <var>FAST</var> mode is appropriate where the user(s) are
128 trusted and/or have no privilege to load in-process code.
129 <var>SECURE</var> mode is appropriate to cases where untrusted code
130 might be run in-process. However, even in <var>SECURE</var> mode,
131 there is no protection against a malicious user who is able to
132 introduce privileges-aware code running <em>before the start of the
133 request-processing cycle.</em></p>
136 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
137 <div class="directive-section"><h2><a name="DTracePrivileges" id="DTracePrivileges">DTracePrivileges</a> <a name="dtraceprivileges" id="dtraceprivileges">Directive</a></h2>
138 <table class="directive">
139 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines whether the privileges required by dtrace are enabled.</td></tr>
140 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>DTracePrivileges On|Off</code></td></tr>
141 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>DTracePrivileges Off</code></td></tr>
142 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
143 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
144 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
145 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
146 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
148 <p>This server-wide directive determines whether Apache will run with
149 the <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> required to run
150 <a href="http://www.sun.com/bigadmin/content/dtrace/">dtrace</a>.
151 Note that <var>DTracePrivileges On</var> will not in itself
152 activate DTrace, but <var>DTracePrivileges Off</var> will prevent
156 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
157 <div class="directive-section"><h2><a name="PrivilegesMode" id="PrivilegesMode">PrivilegesMode</a> <a name="privilegesmode" id="privilegesmode">Directive</a></h2>
158 <table class="directive">
159 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Trade off processing speed and efficiency vs security against
160 malicious privileges-aware code.</td></tr>
161 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>PrivilegesMode FAST|SECURE|SELECTIVE</code></td></tr>
162 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory</td></tr>
163 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
164 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
165 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
166 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
167 </table><p>This directive trades off performance vs security against
168 malicious, privileges-aware code. In <var>SECURE</var> mode, each request
169 runs in a secure subprocess, incurring a substantial performance penalty.
170 In <var>FAST</var> mode, the server is not protected against escalation
171 of privileges as discussed above.</p>
172 <p>This directive differs slightly between a <code><Directory></code>
173 context (including equivalents such as Location/Files/If) and a
174 top-level or <code><VirtualHost></code>.</p>
175 <p>At top-level, it sets a default that will be inherited by virtualhosts.
176 In a virtual host, FAST or SECURE mode acts on the entire
177 HTTP request, and any settings in a <code><Directory></code>
178 context will be <strong>ignored</strong>. A third pseudo-mode
179 SELECTIVE defers the choice of FAST vs SECURE to directives in a
180 <code><Directory></code> context.</p>
181 <p>In a <code><Directory></code> context, it is applicable only
182 where SELECTIVE mode was set for the VirtualHost. Only
183 FAST or SECURE can be set in this context (SELECTIVE would be
185 <div class="warning"><h3>Warning</h3>
186 Where SELECTIVE mode is selected for a virtual host, the activation
187 of privileges must be deferred until <em>after</em> the mapping
188 phase of request processing has determined what
189 <code><Directory></code> context applies to the request.
190 This might give an attacker opportunities to introduce
191 code through a <code class="directive"><a href="../mod/mod_rewrite.html#rewritemap">RewriteMap</a></code>
192 running at top-level or <code><VirtualHost></code> context
193 <em>before</em> privileges have been dropped and userid/gid set.
197 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
198 <div class="directive-section"><h2><a name="VHostCGIMode" id="VHostCGIMode">VHostCGIMode</a> <a name="vhostcgimode" id="vhostcgimode">Directive</a></h2>
199 <table class="directive">
200 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines whether the virtualhost can run
201 subprocesses, and the privileges available to subprocesses.</td></tr>
202 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostCGIMode On|Off|Secure</code></td></tr>
203 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>VHostCGIMode On</code></td></tr>
204 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
205 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
206 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
207 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
208 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
210 <p>Determines whether the virtual host is allowed to run fork and exec,
211 the <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> required to run subprocesses. If this is set to
212 <var>Off</var> the virtualhost is denied the privileges and will not
213 be able to run traditional CGI programs or scripts under the traditional
214 <code class="module"><a href="../mod/mod_cgi.html">mod_cgi</a></code>, nor similar external programs such as those
215 created by <code class="module"><a href="../mod/mod_ext_filter.html">mod_ext_filter</a></code> or
216 <code class="directive"><a href="../mod/mod_rewrite.html#rewritemap">RewriteMap</a></code> <var>prog</var>.
217 Note that it does not prevent CGI programs running under alternative
218 process and security models such as <a href="http://fastcgi.coremail.cn">mod_fcgid</a>, which is a recommended solution in Solaris.</p>
219 <p>If set to <var>On</var> or <var>Secure</var>, the virtual host
220 is permitted to run external programs and scripts as above.
221 Setting <code class="directive">VHostCGIMode</code> <var>Secure</var> has
222 the effect of denying privileges to the subprocesses, as described
223 for <code class="directive">VHostSecure</code>.</p>
226 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
227 <div class="directive-section"><h2><a name="VHostCGIPrivs" id="VHostCGIPrivs">VHostCGIPrivs</a> <a name="vhostcgiprivs" id="vhostcgiprivs">Directive</a></h2>
228 <table class="directive">
229 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Assign arbitrary privileges to subprocesses created
230 by a virtual host.</td></tr>
231 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</code></td></tr>
232 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>None</code></td></tr>
233 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
234 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
235 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
236 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
237 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM)
238 and when <code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> is compiled with the
239 <var>BIG_SECURITY_HOLE</var> compile-time option.</td></tr>
241 <p><code class="directive">VHostCGIPrivs</code> can be used to assign arbitrary <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> to subprocesses created by a virtual host, as discussed
242 under <code class="directive">VHostCGIMode</code>. Each <var>privilege-name</var>
243 is the name of a Solaris privilege, such as <var>file_setid</var>
244 or <var>sys_nfs</var>.</p>
246 <p>A <var>privilege-name</var> may optionally be prefixed by
247 + or -, which will respectively allow or deny a privilege.
248 If used with neither + nor -, all privileges otherwise assigned
249 to the virtualhost will be denied. You can use this to override
250 any of the default sets and construct your own privilege set.</p>
252 <div class="warning"><h3>Security</h3>
253 <p>This directive can open huge security holes in apache subprocesses,
254 up to and including running them with root-level powers. Do not
255 use it unless you fully understand what you are doing!</p></div>
258 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
259 <div class="directive-section"><h2><a name="VHostGroup" id="VHostGroup">VHostGroup</a> <a name="vhostgroup" id="vhostgroup">Directive</a></h2>
260 <table class="directive">
261 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the Group ID under which a virtual host runs.</td></tr>
262 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostGroup <var>unix-groupid</var></code></td></tr>
263 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Inherits the group id specified in
264 <code class="directive"><a href="../mod/mod_unixd.html#group">Group</a></code></code></td></tr>
265 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
266 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
267 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
268 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
269 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
271 <p>The <code class="directive">VHostGroup</code> directive sets the Unix group
272 under which the server will process requests to a virtualhost.
273 The group is set before the request is processed and reset afterwards
274 using <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">Solaris Privileges</a>. Since the setting applies to the
275 <em>process</em>, this is not compatible with threaded MPMs.</p>
276 <p><var>Unix-group</var> is one of:</p>
278 <dt>A group name</dt>
279 <dd>Refers to the given group by name.</dd>
281 <dt><code>#</code> followed by a group number.</dt>
282 <dd>Refers to a group by its number.</dd>
285 <div class="warning"><h3>Security</h3>
286 <p>This directive cannot be used to run apache as root!
287 Nevertheless, it opens potential security issues similar to
288 those discussed in the <a href="../suexec.html">suexec</a>
289 documentation.</p></div>
293 <li><code class="directive"><a href="../mod/mod_unixd.html#group">Group</a></code></li>
294 <li><code class="directive"><a href="../mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code></li>
297 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
298 <div class="directive-section"><h2><a name="VHostPrivs" id="VHostPrivs">VHostPrivs</a> <a name="vhostprivs" id="vhostprivs">Directive</a></h2>
299 <table class="directive">
300 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Assign arbitrary privileges to a virtual host.</td></tr>
301 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</code></td></tr>
302 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>None</code></td></tr>
303 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
304 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
305 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
306 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
307 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM)
308 and when <code class="module"><a href="../mod/mod_privileges.html">mod_privileges</a></code> is compiled with the
309 <var>BIG_SECURITY_HOLE</var> compile-time option.</td></tr>
311 <p><code class="directive">VHostPrivs</code> can be used to assign arbitrary <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">privileges</a> to a virtual host. Each <var>privilege-name</var>
312 is the name of a Solaris privilege, such as <var>file_setid</var>
313 or <var>sys_nfs</var>.</p>
315 <p>A <var>privilege-name</var> may optionally be prefixed by
316 + or -, which will respectively allow or deny a privilege.
317 If used with neither + nor -, all privileges otherwise assigned
318 to the virtualhost will be denied. You can use this to override
319 any of the default sets and construct your own privilege set.</p>
321 <div class="warning"><h3>Security</h3>
322 <p>This directive can open huge security holes in apache, up to
323 and including running requests with root-level powers. Do not
324 use it unless you fully understand what you are doing!</p></div>
327 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
328 <div class="directive-section"><h2><a name="VHostSecure" id="VHostSecure">VHostSecure</a> <a name="vhostsecure" id="vhostsecure">Directive</a></h2>
329 <table class="directive">
330 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines whether the server runs with enhanced security
331 for the virtualhost.</td></tr>
332 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostSecure On|Off</code></td></tr>
333 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>VHostSecure On</code></td></tr>
334 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
335 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
336 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
337 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
338 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
340 <p>Determines whether the virtual host processes requests with
341 security enhanced by removal of <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">Privileges</a> that are rarely needed in a webserver, but which are
342 available by default to a normal Unix user and may therefore
343 be required by modules and applications. It is recommended that
344 you retain the default (On) unless it prevents an application running.
345 Since the setting applies to the <em>process</em>, this is not
346 compatible with threaded MPMs.</p>
347 <div class="note"><h3>Note</h3>
348 <p>If <code class="directive">VHostSecure</code> prevents an application
349 running, this may be a warning sign that the application should be
350 reviewed for security.</p></div>
353 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
354 <div class="directive-section"><h2><a name="VHostUser" id="VHostUser">VHostUser</a> <a name="vhostuser" id="vhostuser">Directive</a></h2>
355 <table class="directive">
356 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the User ID under which a virtual host runs.</td></tr>
357 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>VHostUser <var>unix-userid</var></code></td></tr>
358 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Inherits the userid specified in
359 <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code></code></td></tr>
360 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>virtual host</td></tr>
361 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
362 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_privileges</td></tr>
363 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available on Solaris 10 and OpenSolaris with
364 non-threaded MPMs (<code class="module"><a href="../mod/prefork.html">prefork</a></code> or custom MPM).</td></tr>
366 <p>The <code class="directive">VHostUser</code> directive sets the Unix userid
367 under which the server will process requests to a virtualhost.
368 The userid is set before the request is processed and reset afterwards
369 using <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp">Solaris Privileges</a>. Since the setting applies to the
370 <em>process</em>, this is not compatible with threaded MPMs.</p>
371 <p><var>Unix-userid</var> is one of:</p>
374 <dd>Refers to the given user by name.</dd>
376 <dt><code>#</code> followed by a user number.</dt>
377 <dd>Refers to a user by its number.</dd>
380 <div class="warning"><h3>Security</h3>
381 <p>This directive cannot be used to run apache as root!
382 Nevertheless, it opens potential security issues similar to
383 those discussed in the <a href="../suexec.html">suexec</a>
384 documentation.</p></div>
388 <li><code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code></li>
389 <li><code class="directive"><a href="../mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code></li>
393 <div class="bottomlang">
394 <p><span>Available Languages: </span><a href="../en/mod/mod_privileges.html" title="English"> en </a></p>
395 </div><div id="footer">
396 <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
397 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
398 if (typeof(prettyPrint) !== undefined) {