httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Heller" <hel...@deepsoft.com>
Subject Re: [users@httpd] "--enable-mods-shared=all" configure question...
Date Wed, 10 Dec 2003 16:42:29 GMT

In message <Pine.WNT.4.58.0312101051090.1428@Poste3947.hec.ca>, Joshua Slive wr
ites:
>
>On Wed, 10 Dec 2003, Robert Heller wrote:
>> There does seem to be a weirdness with the
>> suexec_module.  It appears that when it is compiled as a module and you
>> want to enable suexec for userdir CGI scripts.  Even if you load the
>> suexec *before* all other modules, suexec is NOT enabled for userdir CGI
>> scripts.
>
>Although I haven't tested it myself, I'd guess that's not the problem.
>
>More likely you are missing other pieces in the suexec setup.  Suexec
>requires not only mod_suexec, but also the suexec binary, which has its
>own ./configure options.  Check the suexec docs.


ALL of this is set up:

         --enable-suexec --with-suexec \
         --with-suexec-caller=%{suexec_caller} \
         --with-suexec-docroot=%{contentdir} \
         --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
         --with-suexec-bin=%{_sbindir}/suexec \
         --with-suexec-uidmin=500 --with-suexec-gidmin=100 \

There is a properly built and installed suexec binary and
SuexecUserGroup does in fact enable suexec, but (as has been pointed
out elsewhere!) a SuexecUserGroup configuation option, is NOT the right
thing for *userdir* CGI scripts -- SuexecUserGroup is only for
VirtualHosts.  It *definitely* appears that although suexec is enabled
(and with a LoadModule for the suexec module httpd is seeing the suexec
binary, as seen in the error_log), that userdir CGI scripts are NOT
being run with suexec -- they are being forked *directly* from httpd,
and have the UID httpd is running as.  I am not a total idiot!

What does NOT help is the problem with "--enable-mods-shared=all", which
makes it hard to test.  It looks like I might have to not use shared
modules at all, which would be both dumb and a serious bummer.

>
>Joshua.
>
                                     \/
Robert Heller                        ||InterNet:   heller@cs.umass.edu
http://vis-www.cs.umass.edu/~heller  ||            heller@deepsoft.com
http://www.deepsoft.com              /\FidoNet:    1:321/153

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message