suExec annoyances

To: debian-user@lists.debian.org
Subject: suExec annoyances
From: Stuart Ballard <sballard@netreach.net>
Date: Wed, 09 Feb 2000 21:02:24 +0000
Message-id: <[🔎] 38A1D5E0.DB818C62@netreach.net>

Can anyone explain to me the restriction on where I can place cgi
scripts if suExec is being used with apache? As best as I can
understand, all cgi scripts must be contained under the *global*
DocumentRoot in order for suExec to run them. This means that when I
have a setup like

DocumentRoot /var/www

<VirtualHost my.ip.address>
  ServerName my.virtualhost.com
  DocumentRoot /usr/local/share/virtualhost
  ScriptAlias /cgi-bin/ /usr/local/share/virtualhost/cgi-bin/
  User vhostusr
  Group vhostgrp
</VirtualHost>

Then requests to any cgi script within
http://my.virtualhost.com/cgi-bin/ will fail with an internal server
error, claiming that the command is "not in the docroot".

Why do I have to completely rearrange my directory structure just to get
suExec to work? All cgi scripts in user home directories fail under this
setup because /home/username is not under /var/www (and any page
accessed using ~username automatically triggers suExec).

The obvious workaround is to set DocumentRoot to /, but I can't think of
a more crazily insecure option.

Does anyone have any suggestions? It seems to me that suExec should be
seeing whether the command is in the documentroot *for this virtual
host*... and I don't understand why it isn't doing that.

Stuart.

Reply to:

Follow-Ups:
- Re: suExec annoyances
  - From: Adam Shand <larry@alaska.net>

Prev by Date: Re: package compilation madness
Next by Date: Re: What do these HD errors mean?
Previous by thread: Re: package compilation madness
Next by thread: Re: suExec annoyances
Index(es):
- Date
- Thread