Re: Apache cgi-bin for users

To: debian-isp@lists.debian.org
Cc: Keith Elder <keith@zorka.com>
Subject: Re: Apache cgi-bin for users
From: "Marcel Hicking" <hicking@du.gtn.com>
Date: Fri, 4 Jan 2002 13:54:44 +0100
Message-id: <[🔎] 3C35B424.9772.2CDF4270@localhost>
Reply-to: hicking@du.gtn.com
In-reply-to: <[🔎] 20020103213619.GA8070@zorka.com>
References: <[🔎] 3C34AC30.4573.28D8392A@localhost>

OK, several things on this subject.

"Addhandler cgi-script .cgi .pl" (1) and ScriptAlias (2)
are two different concepts for allowing binaries
to be executed.

Approach 1 will allow the execution of binaries based on
their extension (.cgi and .pl here) regardless of where
they are found. That includes the DocumentRoot directory
and is usually thought to be somewhat insecure.

Approch 2 will allow execution of binaries in a particular
directory (as long as the bins are flagged 755 executable)
SInce I prefer this, I will comment on this only.

The "cgi-bin" part of www.domain.com/cgi-bin/
will be mapped to a directory somewhere in your filesystem.
Wether this direcory is (write-)accessable via FTP etc to
your customers is under your control. You can have several
cgi-executable directories.

A common way of setting up Apacher would be the following.
(To keep it simple I left out several options I usually
add)

Set up a directory structure like this:

/www/domain01.com/htdocs/
/www/domain01.com/cgi-bin/
/www/domain01.com/logs/

/www/domain02.com/htdocs/
/www/domain02.com/cgi-bin/
/www/domain02.com/logs/
etc.

htdocs will be the directory to hold your customers
uploadable html file etc. cgi-bin will have your
pre-installed cgi-scripts (perl, binaries, shellscripts
whatever) and logs, well, will have the apache log files.

Now configure your Apache virtual hosts like this:

<VirtualHost your.ip.here>
    ServerAdmin  webmaster@foo.bar
    DocumentRoot /www/domain01.com/htdocs/
    DirectoryIndex index.php4 index.php3 index.html
    ServerName   www.domain01.com
    ServerAlias  domain01.com

    # Where the logfiles go:
    ErrorLog /www/domain01.com/log/errors
    CustomLog /www/domain01.com/log/access combined

    # www.domain01.com/cgi-bin
    ScriptAlias /cgi-bin   /www/domain01/cgi-bin

    # For common cgi scripts not editable by customers
    # you might want to add:
    ScriptAlias /common-cgi  /www/whatever/common-cgi
    # /www/whatever/common-cgi should be filled
    # with something useful certainly. Access as
    # http://www.domainXX.com/common-cgi/script.pl

    <Directory /www/domain01.com>
        # Tweak this to your needs:
        Options Includes FollowSymLinks
        # Allow customers to change options
        # within .htaccess files:
        AllowOverride All
    </Directory>
</VirtualHost>


For FTP access make /www/domain01.com/ the home
(changerooted!) directory. Please note
customers might be able to edit/remove logfiles
with this config. In case you depend on the
logs, make sure you take precautions here.
Set the proper userid / rights etc.

If you do not want customers to upload binaries
to cgi-bin, either change the ftp home dir
to /www/domain01.com/htdocs/ remove the
cgi-bin config options and directory.


For a real life setup with customers having several
domains etc. you will certainly have a more complex
directory structure like /www/customerid/domainname/
and several FTP logins etc.

Hope that helps for a start.

Cheers,
Marcel



Keith Elder <keith@zorka.com> 3 Jan 2002, at 16:36:

> Thanks Marcel,
>
> Let me restate what it was I was asking just to clarify my
> situation. If anyone has any input, by all means annie up.
>
> What I am trying to do is setup the server so users in
> /home/*/ can execute CGI programs on their personal web
> pages on this particular machine.  I found a reference in
> the apache admin guide I have and the apache site which say
> to put the following in the httpd.conf:
>
> <Directory /home/*/public_html/cgi-bin>
>  Options ExecCGI
>  Addhandler cgi-script .cgi .pl
> </Directory>
>
> I have done that, but I still cannot make the following
> work:
>
> http://yourdomain.com/~username/cgi-bin/test.cgi
>
> When this page is run, I get "premature end of headers" in
> the error.log file.  I thought this would be fairly simple
> but it is turning out to be a headache.
>
> Anything else I can try?
>
> Keith
>
>
> * Marcel Hicking (hicking@du.gtn.com) wrote:
> > From: "Marcel Hicking" <hicking@du.gtn.com>
> > To: debian-isp@lists.debian.org
> > Date: Thu, 3 Jan 2002 19:08:32 +0100
> > Subject: Re: Apache cgi-bin for users
> > Reply-to: hicking@du.gtn.com
> > X-mailer: Pegasus Mail for Win32 (v3.12c)
> >
> > ScriptAlias /cgi-bin/ /path/to/customers/cgi-bin/
> >
> > See
> > http://httpd.apache.org/docs/mod/mod_alias.html#scriptalia
> > s
> >
> > Please make really(!) sure what security implications it
> > has to allow not trustworthy people (customers ;-) to run
> > programms on _your_ server. Hint: Look for cgi-wrap and
> > changeroot.
> >
> > http://httpd.apache.org/docs-2.0/misc/security_tips.html
> > http://httpd.apache.org/docs-2.0/suexec.html
> >  or better
> > http://wwwcgi.umr.edu/~cgiwrap/
> >
> > Cheers,
> > Marcel
> >
> >
> > Keith Elder <keith@zorka.com> 31 Dec 2001, at 17:31:
> >
> > > Greetings and Happy New Year!
> > >
> > > I am trying to enable cgi-bin on user directories.  I
> > > found the following lines on the apache.org site, put
> > > them in, but they didn't work:
> > >
> > > <Directory /home/*/public_html/cgi-bin>
> > >     Options ExecCGI
> > >  SetHandler cgi-script
> > > </Directory>
> > >
> > >
> > > Any other suggestions as to how to setup cgi-bin
> > > directories for user accounts?
> > >
> > >
> > > Thanks,
> > >
> > > Keith
> > >
> > > #######################################################
> > >                       Keith Elder
> > >                Email: keith@zorka.com
> > >                 Phone: 1-734-507-1438
> > >  Text Messaging (145 characters): mobile@zorka.com
> > > Web: http://www.zorka.com (Howto's, News, and hosting!)
> > >
> > >      "With enough memory and hard drive space
> > >            anything in life is possible!"
> > > #######################################################
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to
> > > debian-isp-request@lists.debian.org with a subject of
> > > "unsubscribe". Trouble? Contact
> > > listmaster@lists.debian.org
> > >
> >
> >
> > --
> >    __
> >  .´  `.
> >  : :' !  Enjoy
> >  `. `´  Debian/GNU Linux
> >    `-
> >
> >
> > --
> > To UNSUBSCRIBE, email to
> > debian-isp-request@lists.debian.org with a subject of
> > "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
>
>
> #######################################################
>                       Keith Elder
>                Email: keith@zorka.com
>                 Phone: 1-734-507-1438
>  Text Messaging (145 characters): mobile@zorka.com
> Web: http://www.zorka.com (Howto's, News, and hosting!)
>
>      "With enough memory and hard drive space
>            anything in life is possible!"
> #######################################################


--
   __
 .´  `.
 : :' !  Enjoy
 `. `´  Debian/GNU Linux
   `-

Reply to:

References:
- Re: Apache cgi-bin for users
  - From: "Marcel Hicking" <hicking@du.gtn.com>
- Re: Apache cgi-bin for users
  - From: Keith Elder <keith@zorka.com>

Prev by Date: Re: Apache cgi-bin for users
Next by Date: Re: Apache cgi-bin for users
Previous by thread: Re: Apache cgi-bin for users
Next by thread: Qmail and Stunnel
Index(es):
- Date
- Thread