httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Férotin <vincent.fero...@gmail.com>
Subject [users@httpd] Re: Suexec fails to find script to execute, or else refuses to execute it due to mismatching dir./files rights
Date Tue, 28 Apr 2015 08:25:40 GMT
Hi, Apache httpd users mailing-list!

As expected, previous problem was almost trivial but very confusing
for the sys.admin newbie I am.

For the record, there was a wrong path on first line of the CGI script
(shebang), which previously was:

    #!/usr/bin/bash
    #
    # suEXEC wrapper for gitolite-shell
    #
    # Copied from: https://wiki.archlinux.org/index.php/Gitolite

    PROJECT_HOME="/home/work/domain.tld/project"
    export GIT_PROJECT_ROOT="$PROJECT_HOME/git"
    export GITOLITE_HTTP_HOME="$PROJECT_HOME/gitolite"
    export GIT_HTTP_EXPORT_ALL=1

    exec /usr/share/gitolite3/gitolite-shell

Path "/usr/bin/bash" does simply not exist by default on Debian, and
must be replaced by "/bin/bash".
This error seems to be quite common, as explicitly mentioned on Apache
CGI tutorial:
    http://httpd.apache.org/docs/2.2/howto/cgi.html#pathinformation
and on answers as regular tip, e.g on
    http://stackoverflow.com/questions/10135302/python-cgi-on-apache-server
    http://stackoverflow.com/questions/9937213/cgi-script-not-running-internal-server-error-500-error#answer-9956268

Sorry for the noise caused...

-- Vincent

2015-04-22 16:59 GMT+02:00 Vincent Férotin <vincent.ferotin@gmail.com>:
> Hi, Apache httpd users mailing-list!
>
> Trying to configure gitolite3 (http://gitolite.com/) with Apache,
> I encountered some problems with suexec
> (http://httpd.apache.org/docs/2.2/suexec.html) that I did not
> understand.
>
> I'm wondering *where* is the problem:
> if it is a simple wrong config (main hypothesis for the noob I am),
> or if there is something fundamental I missed in suexec principles,
> or if problem comes from OS packaging, or so...
> So, if some of you could help me, or simply redirect to the right
> source of documentation or process, I'll be grateful.
> Anyway, thank you for your attention, and please excuse all possible
> misspelled words or stange phrases
> (non english writer here).
>
>
> Problem
> =======
>
> Here's the problem:
>
> I failed to let suexec run gitolite shell wrapper,
> because of rights on either the wrapper file or its parent directory.
> If suexec found the wrapper, rights on parent directory (which differs
> from wrapper's)
> make suexec to fail -- simplified suexec log follows:
>
>     [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
>     [2015-04-22]: target uid/gid (110/116) mismatch with directory
> (0/0) or program (110/116)
>
> If rights on wrapper's parent directory are set identical to wrapper ones,
> suexec fails to find it -- simplified suexec log follows:
>
>     [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
>     [2015-04-22]: (2)No such file or directory: exec failed
> (gitolite-suexec-wrapper)
>
>
> Configuration(s)
> ================
>
> I've mainly followed documentation provided by gitolite:
> http://gitolite.com/gitolite/ssh-and-http.html,
> slightly adapted to potentially have one gitolite instance
> (and its configuration and related git repositories) per virtualhost/project.
>
> Full project has its own dedicated directory (e.g.
> /home/work/domain.tld/project),
> subdivised on:
>
> - etc/          # configuration
>   - httpd.conf  # Apache virtual host configuration for project (see below)
> - git/          # repositories
> - gitolite/     # gitolite's home
> - www/          # web documents
>
> Shell wrapper to gitolite, expected to be executed by suEXEc,
> stands in suEXEc's root, here /var/www
> (see below for suEXEc configuration):
>
>     $ ls /var/www  # truncated
>     gitolite-suexec-wrapper
>
> SuEXEc configuration follows:
>
>     $ /usr/lib/apache2/suexec -V
>      -D AP_DOC_ROOT="/var/www"
>      -D AP_GID_MIN=100
>      -D AP_HTTPD_USER="www-data"
>      -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
>      -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
>      -D AP_UID_MIN=100
>      -D AP_USERDIR_SUFFIX="public_html
>
> Project configuration for Apache is described as:
>
>     <VirtualHost *:80>
>         ServerAdmin webmaster@localhost
>         ServerName project.domain.tld
>         DocumentRoot /home/work/domain.tld/project/www
>
>         CustomLog /var/log/apache2/project.domain.tld-access.log common
>         ErrorLog /var/log/apache2/project.domain.tld-error.log
>
>         <Directory /home/work/domain.tld/project/www>
>             AllowOverride None
>             Order allow,deny
>             Allow from all
>         </Directory>
>
>         ### Authentication ###
>         <Location />
>             AuthType Digest
>             AuthName "project.domain.tld"
>             AuthDigestDomain /
>             AuthDigestProvider file
>             AuthUserFile /home/work/domain.tld/project/etc/.pwdigests
>             Require valid-user
>         </Location>
>
>         SuexecUserGroup git git
>         ScriptAlias /git/ /var/www/gitolite-suexec-wrapper/
>     </VirtualHost>
>
> Git users is identified by:
>
>     $ id git
>     uid=110(git) gid=116(git) groupes=116(git)
>
> (For sake of completness, here are the system softwares
> versions infos:
>
> - OS: Debian Wheezy (currently up-to-date)
> - Apache httpd:  Apache/2.2.22 )
>
> I'vee tried several small variant, but encounter the same main
> problem, described above.
>
>
> Variant 1
> ---------
>
> In first (default) configuration, SuEXEc root document and
> gitolite shell wrapper have following rights:
>
>     $ ls -l /var  # truncated
>     drwxr-xr-x  3 root root   www
>     $ ls -l /var/www  # truncated
>     -rwxr-xr--  1 git  git    gitolite-suexec-wrapper
>
> Then, suEXEc succeeds in finding gitolite shell wrapper,
> but due to owners mismatching between wrapper (git/git)
> and its parent dir. /var/www (root/root), it fails with
> previously mentionned logged error:
>
>     [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
>     [2015-04-22]: target uid/gid (110/116) mismatch with directory
> (0/0) or program (110/116)
>
>
> Variant 2
> ---------
>
> If instead we set (in a second configuration) owners to be identical,
> as is:
>
>     $ ls -l /var  # truncated
>     drwxr-xr-x  3 git  git    www
>     $ ls -l /var/www  # truncated
>     -rwxr-xr--  1 git  git    gitolite-suexec-wrapper
>
> suexec failed with previously mentionned logged error:
>
>     [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
>     [2015-04-22]: (2)No such file or directory: exec failed
> (gitolite-suexec-wrapper)
>
>
> Variant 3
> ---------
>
> I've also tried to put gitolite shell wrapper in its own dedicated directory,
> as follows:
>
>     $ ls -l /var/www
>     drwxr-xr-x 2 git git    project.domain.tld-suexec
>     $ ls -l /var/www/project.domain.tld-suexec
>     -rwxr-xr-- 1 git git    gitolite-suexec-wrapper
>
> and adapted virtualhost condfiguration with:
>
>     <VirtualHost *:80>
>         # ... see above for complement...
>
>         SuexecUserGroup git git
>         ScriptAlias /git/
> /var/www/project.domain.tld-suexec/gitolite-suexec-wrapper/
>     </VirtualHost>
>
> As before with variants 1 and 2, if project.domain.tld-suexec has root/root
> as owners, suexec finds the wrapper but fails to execute it.
> And with git/git as owners, it simply doesn't find it.
>
>
> Variant 4
> ---------
>
> Another try following variant 3 was adding explicit CGI handling
> -- script was renamed with a .sh suffix:
>
>     $ ls -l /var/www/project.domain.tld-suexec
>     -rwxr-xr-- 1 git git    gitolite-suexec-wrapper.sh
>
> and project's virtualhost configuration was completed with:
>
>     <VirtualHost *:80>
>         # ... see above for complement...
>
>         <Directory /var/www/project.domain.tld-suexec>
>             #AllowOverride None
>             Order allow,deny
>             Allow from all
>             Options ExecCGI
>             AddHandler cgi-script .sh
>         </Directory>
>         SuexecUserGroup git git
>         ScriptAlias /git/
> /var/www/project.domain.tld-suexec/gitolite-suexec-wrapper.sh/
>     </VirtualHost>
>
> As before with previous variants, if project.domain.tld-suexec has root/root
> as owners, suexec finds the wrapper but fails to execute it.
> And with git/git as owners, it simply did not find it.
>
> ----
>
> Could you please help me?
> I've not easily found (or recognize as it?) any report with this exact situation
> (through google search, Apache mailing list or gitolite's one),
> which let me suspect a misconfiguration or comprehension on my side.
> But i'm not sure this is the case.
>
> Again, thank you for taking time to read all previous lines!
>
> -- Vincent

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message