httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Wiltshire <>
Subject [users@httpd] suExec & vhost problem
Date Tue, 08 Jul 2008 21:35:13 GMT
Hi list,

I'm trying to set up suExec with virtual hosts, and I am either going about 
this all wrong, or I have found a bug.

Given the following vhost:

<VirtualHost *:80>

	ScriptAlias /php5 ~/cgi-bin/php
	Action php5-cgi /php5
	AddHandler php5-cgi .php


	DocumentRoot /home/
	<Directory "/home/">
		Order allow,deny
		Allow from all
		Options Indexes FollowSymLinks

	LogLevel warn
	CustomLog /home/ combined
	ErrorLog /home/

	<Directory /home/>
		Order allow,deny
		Allow from all


and the following suExec config:

 -D AP_DOC_ROOT="/opt/ccp"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=1000

First I'll explain why I have this setup. /opt/ccp is a piece of software that 
allows me to control the server via http. I'd rather not move it.

The virtual hosts will obviously run as their own user, in their home 
directory (/home/tld).

The line in question is the ScriptAlias line. If I use a full path like:

ScriptAlias /php5 /home/

suExec fails saying it's outside of the docroot. I believe this is correct 
behavior, though it would be nice if suExec knew /home/ is the 
same as ~

Where it gets buggy is if I have it as in the example:

ScriptAlias /php5 ~/cgi-bin/php

Now suExec is happy, but Apache (incorrectly, IMO) prepends ServerRoot and 
cuts off all but the tilde. PHP scripts throw a 403 and In my log I get:

client denied by server configuration: /usr/lib64/apache2/~

I know that the normal behaviour for Apache is to prepend ServerRoot to any 
path not starting with "/", but this conflicts with the requirement of suExec 
to begin any user-owned path with ~ which is why I think it may be considered 
a bug.

Does anyone know how I can achieve this? I'm running Apache 2.2.9 on a Gentoo 


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message