[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suexec permissions

> nodata wrote:
>>><discussion of User directive in VirtualHost elided>
>>>nodata wrote:
>>>>Ah this would explain things more - but then shouldn't running
>>>>http://website/cgi-bin/test.pl work? I get the same search permissions
>>>Er, yep, as far as I can see, it should.  suEXEC can be a little...
>>>finicky :)
>>>What does /var/log/apache/suexec.log say?
>> Nothing :/
>> But the error log for this host has the "failed because search
>> permissions
>> are missing on a component of the path" error.
> A couple of things.
> The suEXEC wrapper itself does setuid() before most of the path/file
> checks,
> so that's probably not the problem.  The absence of anything in the log
> file
> also indicates that Apache itself is having trouble reading things, not
> the
> suEXEC wrapper.
> You might want to try loosening the read permissions on the CGI + path to
> the
> CGI, and verify (by perhaps touching a file in /tmp) that it is running as
> the
> user you intended it to.  Then try tightening the read permissions on the
> itself, and then along the path to it.

Done. chmod o+rx on:
then running a system("touch /tmp/blairtest") from cgi-bin/test.pl creates
a file with bob:bob permissions.

> The other thing to check is that your scripts are physically located under
> suEXEC's DOC_ROOT (/var/www on Sarge, I think).

They are.

> Regards,
>     Blair.

The problem with this setup is that I have to have o+rx permission on
directories and non-executables, which is a little messy (and I'm not sure
whether vsftpd can handle this).
Plus everyone on the machine can now read the files.


Reply to: