Re: enabling suexec with debian apache [solved]

[Adam Shand <larry@alaska.net>]

> That involves creating a virtual host for every user.
>
> I was asking whether ~user/cgi-bin can be made to be not under
> /home/user/public_html/cgi-bin but /home/user/cgi-bin.

with ~username urls it's even easier.  i'm not sure how you do it with
suexec cause i've never tried but with cgiwrap it's trival.  a user would
run a cgi via cgiwrap like this:

	http://www.domain.com/cgi-bin/cgiwrap/username/script.cgi

and the path to user cgi's is hard coded into the cgiwrap program.  so when
the above is called it knows to look in ~username/public_html/cgi-bin for
the script.  hence joe's complaint about the cgi-wrap program.  it could
just as easily look in ~username/cgi-bin and that would mean that there was
no way for someone to poke around in the users cgi-bin directory by going
to:

	http://www.domain.com/~username/cgi-bin

and viewing the cgi's.

> The problem with this is that this way the users can't do this
> themselves, but they need me to chown and chgrp their files needing
> protection. They can't create files with www-data.wwwroot, and apache
> won't serve files for which it has only group access rights.

if it's the users stuff you want to protect you should figure out how to run
~username accounts via suexec (i'm fairly sure it's possible).  that way
they can simply chown all their web pages to them, and chmod 600 all the web
pages.  the web server will be able to read them because it runs as the
user, and no one else will be able to read them because they are only
readable by the owner.

> Or maybe I only need to restart apache after adding www-data to the
> user's group? (Adding www-data to the user's group pose no problems if
> every cgi is run under the owner's id).

i don't understand this.  i wouldn't add your users to the www-data group.

adam.