Re: suExec annoyances
> Can anyone explain to me the restriction on where I can place cgi
> scripts if suExec is being used with apache? As best as I can
> understand, all cgi scripts must be contained under the *global*
> DocumentRoot in order for suExec to run them. This means that when I
> have a setup like
cgi's go in exactly the same place they would go if you weren't running
suexec.
> DocumentRoot /var/www
>
> <VirtualHost my.ip.address>
> ServerName my.virtualhost.com
> DocumentRoot /usr/local/share/virtualhost
> ScriptAlias /cgi-bin/ /usr/local/share/virtualhost/cgi-bin/
> User vhostusr
> Group vhostgrp
> </VirtualHost>
>
> Then requests to any cgi script within
> http://my.virtualhost.com/cgi-bin/ will fail with an internal server
> error, claiming that the command is "not in the docroot".
given the above setup your cgi's should go into
/usr/local/share/virtualhost/cgi-bin/. one thing that you need to change is
that suexec takes care of the 'scriptalias' part. you don't need that. if
you want a url like /cgi-bin/ to work then you can use the 'alias' directive
the the 'scriptalias' is at least unnecessary and may break things.
> Why do I have to completely rearrange my directory structure just to get
> suExec to work? All cgi scripts in user home directories fail under this
> setup because /home/username is not under /var/www (and any page
> accessed using ~username automatically triggers suExec).
in our setup /web/docs is the main doc root and ~user/www is the document
root for all other virtual domains. suexec works in this setup just fine.
> The obvious workaround is to set DocumentRoot to /, but I can't think of
> a more crazily insecure option.
that is *NOT* a good idea.
> Does anyone have any suggestions? It seems to me that suExec should be
> seeing whether the command is in the documentroot *for this virtual
> host*... and I don't understand why it isn't doing that.
the way you think it should work *is* the way it works, something else is
going wrong.
adam.
Reply to: