httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Wiltshire <n...@customdesigns.ca>
Subject [users@httpd] suExec & vhost problem
Date Tue, 08 Jul 2008 21:35:13 GMT
Hi list,

I'm trying to set up suExec with virtual hosts, and I am either going about 
this all wrong, or I have found a bug.

Given the following vhost:

<VirtualHost *:80>
	SuexecUserGroup example.org example.org

	ScriptAlias /php5 ~/cgi-bin/php
	Action php5-cgi /php5
	AddHandler php5-cgi .php

	ServerName www.example.org
	ServerAlias example.org
	ServerAdmin support@example.org

	DocumentRoot /home/example.org/www/htdocs
	<Directory "/home/example.org/www/htdocs">
		Order allow,deny
		Allow from all
		Options Indexes FollowSymLinks
	</Directory>

	LogLevel warn
	CustomLog /home/example.org/logs/access.log combined
	ErrorLog /home/example.org/logs/error.log

	<Directory /home/example.org/cgi-bin>
		Order allow,deny
		Allow from all
	</Directory>


</VirtualHost>

and the following suExec config:

 -D AP_DOC_ROOT="/opt/ccp"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_SUEXEC_UMASK=077
 -D AP_UID_MIN=1000
 -D AP_USERDIR_SUFFIX="cgi-bin"

First I'll explain why I have this setup. /opt/ccp is a piece of software that 
allows me to control the server via http. I'd rather not move it.

The virtual hosts will obviously run as their own user, in their home 
directory (/home/tld).

The line in question is the ScriptAlias line. If I use a full path like:

ScriptAlias /php5 /home/example.org/cgi-bin/php

suExec fails saying it's outside of the docroot. I believe this is correct 
behavior, though it would be nice if suExec knew /home/example.org is the 
same as ~

Where it gets buggy is if I have it as in the example:

ScriptAlias /php5 ~/cgi-bin/php

Now suExec is happy, but Apache (incorrectly, IMO) prepends ServerRoot and 
cuts off all but the tilde. PHP scripts throw a 403 and In my log I get:

client denied by server configuration: /usr/lib64/apache2/~

I know that the normal behaviour for Apache is to prepend ServerRoot to any 
path not starting with "/", but this conflicts with the requirement of suExec 
to begin any user-owned path with ~ which is why I think it may be considered 
a bug.

Does anyone know how I can achieve this? I'm running Apache 2.2.9 on a Gentoo 
box.

Thanks,
Nick

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message