Re: enabling suexec with debian apache [solved]

To: Adam Shand <larry@alaska.net>
Cc: Joe Block <jpb@creol.ucf.edu>, Debian User List <debian-user@lists.debian.org>, recipient list not shown: ;
Subject: Re: enabling suexec with debian apache [solved]
From: Robert Varga <robi@piros.zold.net>
Date: Sat, 26 Feb 2000 23:27:46 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.1000226232310.20582D-100000@piros.zold.net>
In-reply-to: <[🔎] Pine.LNX.4.21.0002261315280.19542-100000@heyzeus.alaska.net>


On Sat, 26 Feb 2000, Adam Shand wrote:

> 
> > That involves creating a virtual host for every user.
> >
> > I was asking whether ~user/cgi-bin can be made to be not under
> > /home/user/public_html/cgi-bin but /home/user/cgi-bin.
> 
> with ~username urls it's even easier.  i'm not sure how you do it with
> suexec 

It is automatic with suexec. Only you have to enable suexec by setting
suexec setuid.

> cause i've never tried but with cgiwrap it's trival.  a user would
> run a cgi via cgiwrap like this:
> 
> 	http://www.domain.com/cgi-bin/cgiwrap/username/script.cgi
> 
> and the path to user cgi's is hard coded into the cgiwrap program.  so when
> the above is called it knows to look in ~username/public_html/cgi-bin for
> the script.  hence joe's complaint about the cgi-wrap program.  it could
> just as easily look in ~username/cgi-bin and that would mean that there was
> no way for someone to poke around in the users cgi-bin directory by going
> to:
> 
> 	http://www.domain.com/~username/cgi-bin
> 
> and viewing the cgi's.
> 
> > The problem with this is that this way the users can't do this
> > themselves, but they need me to chown and chgrp their files needing
> > protection. They can't create files with www-data.wwwroot, and apache
> > won't serve files for which it has only group access rights.
> 
> if it's the users stuff you want to protect you should figure out how to run
> ~username accounts via suexec (i'm fairly sure it's possible).  that way
> they can simply chown all their web pages to them, and chmod 600 all the web
> pages.  the web server will be able to read them because it runs as the
> user, and no one else will be able to read them because they are only
> readable by the owner.
> 

Unfortunately with apache, data is always served as www-data.www-data or
whatever it is set to in httpd.conf. It does not change uids to serve
normal files, since that would need running as root. It does that for
cgi-s since that inherently needs a program execution itself...

> > Or maybe I only need to restart apache after adding www-data to the
> > user's group? (Adding www-data to the user's group pose no problems if
> > every cgi is run under the owner's id).
> 
> i don't understand this.  i wouldn't add your users to the www-data group.
> 

No. I would add www-data to the user's group. That way it can see the
user's file, and it need not be world-readable. However it did not work.
But maybe only because I did not restart apache, and it did not have the
user's group among its groups.

Robert

Reply to:

Follow-Ups:
- Re: enabling suexec with debian apache [solved]
  - From: Adam Shand <larry@alaska.net>

References:
- Re: enabling suexec with debian apache [solved]
  - From: Adam Shand <larry@alaska.net>

Prev by Date: Re: enabling suexec with debian apache [solved]
Next by Date: xfs-xtt HELP!
Previous by thread: Re: enabling suexec with debian apache [solved]
Next by thread: Re: enabling suexec with debian apache [solved]
Index(es):
- Date
- Thread