Re: WTF is up with apache?!

To: Technical Support <tech@oatka.net>
Cc: debian-isp@lists.debian.org
Subject: Re: WTF is up with apache?!
From: Tamas TEVESZ <ice@extreme.hu>
Date: Sun, 12 Dec 1999 00:47:04 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.991211225742.27021D-100000@mailtrans.sote.hu>
Reply-to: Tamas TEVESZ <ice@extreme.hu>
In-reply-to: <[🔎] Pine.LNX.3.96.991211133355.11885E-100000@shell>

On Sat, 11 Dec 1999, Technical Support wrote:

 > DocumentRoot /home/decorwholesale.com/www

 > ScriptAlias /cgi-bin/ /home/decorwholesale.com/cgi-bin/

 > [1999-12-11 13:33:01]: command not in docroot
 > 	(/home/decorwholesale.com/cgi-bin/secure/test.pl)

this might even make sense to me, however i'd call this somewhat
idiotic... from suexec.html:

   13. Is the directory within the Apache webspace?

     If the request is for a regular portion of the server, is the
     requested directory within the server's document root?

now the obvious question arising is, is a directory
_aliased_under_the_real_docroot_ under the docroot or not ?

anyway, i tracked this down a bit. (nb. i'm no programmer, i can read
c a bit, that's all, so everything under this may very well be a big 
pile o' sh*t. you've been warned.)

the situation is even worse. it's not about having directories aliased
under the (virtualhost's) docroot and comparing cwd to that. it's
about having the DocumentRoot defined in the _main server config_
and comparing the current working dirs in the _virtualhost_ to that.

illustrating:

main server cfg says, DocumentRoot /var/www

very well, i'm putting the company webpages there. now i'm setting up
a virtual host for myself:

<VirtualHost ice.foo>
DocumentRoot /home/ice/foo/www
ScriptAlias /cgi-bin/ /home/ice/foo/cgi-bin/
User ice
Group ice       # and i want my cgis to be wrapped, too
.. other blah ..
</VirtualHost>

now, apply the following patch to suexec.c:

--- suexec.c~   Tue Jun 22 02:51:41 1999
+++ suexec.c    Sun Dec 12 00:01:25 1999
@@ -454,7 +454,7 @@
     }

     if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
-       log_err("command not in docroot (%s/%s)\n", cwd, cmd);
+       log_err("command not in docroot (cmd: %s cwd: %s dwd: %s)\n", cmd, cwd, dwd);
        exit(114);
     }

(sorry, over 80+ chars, i did not want this nice, just working :)
this barfs some more info at the relevant place. (nb. it goes against
the upstream suexec.c source, however i didnt find anything in the
debian patches that would go against suexec.c, anyway, didnt look too
hard).

now, what is barfs is:

[1999-12-12 00:19:51]: uid: (ice/ice) gid: (ice/ice) cmd: x.cgi
[1999-12-12 00:19:51]: command not in docroot (cmd: x.cgi cwd:
/home/ice/foo/cgi-bin dwd: /var/www)

the problem is obvious from here. why does a vhost's docroot have to
be under the main docroot ?

is this a security consideration ? if yes, would someone light me up,
why ? if not, could this be changed (which is ways over my
knowledge) (netgod?) ?

and please, if this is stupid, tell me where did i go wrong.

thanks,

-- 
[-]
- Túlélsz, pöcök.

Reply to:

Follow-Ups:
- Re: WTF is up with apache?!
  - From: Technical Support <tech@oatka.net>

References:
- WTF is up with apache?!
  - From: Technical Support <tech@oatka.net>

Prev by Date: Floppy-Disk MF2ED (2.88/4.0 MByte)
Next by Date: Re: WTF is up with apache?!
Previous by thread: Re: WTF is up with apache?!
Next by thread: Re: WTF is up with apache?!
Index(es):
- Date
- Thread