Re: enabling suexec with debian apache [solved]
On Sat, 26 Feb 2000, Adam Shand wrote:
>
> > That involves creating a virtual host for every user.
> >
> > I was asking whether ~user/cgi-bin can be made to be not under
> > /home/user/public_html/cgi-bin but /home/user/cgi-bin.
>
> with ~username urls it's even easier. i'm not sure how you do it with
> suexec
It is automatic with suexec. Only you have to enable suexec by setting
suexec setuid.
> cause i've never tried but with cgiwrap it's trival. a user would
> run a cgi via cgiwrap like this:
>
> http://www.domain.com/cgi-bin/cgiwrap/username/script.cgi
>
> and the path to user cgi's is hard coded into the cgiwrap program. so when
> the above is called it knows to look in ~username/public_html/cgi-bin for
> the script. hence joe's complaint about the cgi-wrap program. it could
> just as easily look in ~username/cgi-bin and that would mean that there was
> no way for someone to poke around in the users cgi-bin directory by going
> to:
>
> http://www.domain.com/~username/cgi-bin
>
> and viewing the cgi's.
>
> > The problem with this is that this way the users can't do this
> > themselves, but they need me to chown and chgrp their files needing
> > protection. They can't create files with www-data.wwwroot, and apache
> > won't serve files for which it has only group access rights.
>
> if it's the users stuff you want to protect you should figure out how to run
> ~username accounts via suexec (i'm fairly sure it's possible). that way
> they can simply chown all their web pages to them, and chmod 600 all the web
> pages. the web server will be able to read them because it runs as the
> user, and no one else will be able to read them because they are only
> readable by the owner.
>
Unfortunately with apache, data is always served as www-data.www-data or
whatever it is set to in httpd.conf. It does not change uids to serve
normal files, since that would need running as root. It does that for
cgi-s since that inherently needs a program execution itself...
> > Or maybe I only need to restart apache after adding www-data to the
> > user's group? (Adding www-data to the user's group pose no problems if
> > every cgi is run under the owner's id).
>
> i don't understand this. i wouldn't add your users to the www-data group.
>
No. I would add www-data to the user's group. That way it can see the
user's file, and it need not be world-readable. However it did not work.
But maybe only because I did not restart apache, and it did not have the
user's group among its groups.
Robert
Reply to: