RE: SuEXEC and CGI to two VirtualHosts
On Sat, 4 Jan 2003, Michael Olds wrote:
> If I understand you correctly, to use SuEXEC I am going to have to either 1.
> completely change the way I wanted to set up my web directory (ies), or 2.
> figure out how to configure SuEXEC prior to compiling Apache and compile it
> from source myself. How can Debian leave us in such a fix?
How can the debian maintainer know where you want install things?
The SuEXEC docs say:
suEXEC Points Of Interest
Hierarchy limitations
For security and efficiency reasons, all suexec requests must remain
within either a top-level document root for virtual host requests, or
one top-level personal document root for userdir requests. For example,
if you have four VirtualHosts configured, you would need to structure all
of your VHosts' document roots off of one main Apache document hierarchy
to take advantage of suEXEC for VirtualHosts. (Example forthcoming.)
It's not the Debian package that's causing that restriction.
> ...where it is
> clear that we can set up the Apache document root any way we want and it is
> absolutely silent on the effects changes will have on using SuEXEC? (I have
> looked through the docs installed with Apache and there is virtually (ahum)
> nothing on SuEXEC.)
That's true, but look at how many module options there are in the default
httpd.conf -- there's no way to list all the details. Think about
mod_perl's potential complex issues. SuEXEC is typically used by ISPs and
other experienced users -- and is also typically used for ~user type
directories which is how the debian package has it.
You have to keep in mind that the debian package is basically the Apache
defaults, plus setup in a standard way to work for a wide group of users.
Most people just use the default config and it works great. Once you
start changing things without have a good knowledge of Apache then you are
in for a frustrating time. It's not easy until you do spend those
frustrating weeks.
> For the record, in order to demonstrate to myself that I did not myself
> insert some hairbrained configuration data in the SuEXEC setup, I
> uninstalled and re-installed Apache. There is no indication at all during
> setup that SuEXEC is being installed (and it is)
It's just another Apache module. Did it tell you that mod_cgi was being
installed? It's a package, and contains a lot of modules.
> why doesn't the installation include the ability to specify the
> document root in the case where SuEXEC is being installed automatically,
> since SuEXEC seems to be so tightly bound to the installation
> configuration)?
Because it's not a configuration parameter -- it's part of the suexec
wrapper program and it's compiled in. When you install a Debian package
you are getting a binary verison. It's a package deal.
> The error message I am now getting from SuEXEC log is: error
> (a different level of error) command not in docroot.
Google. That means you are trying to run a suexec script in a place
that's not in docroot specified at suexec compile time.
--suexec-docroot=DIR
Define as the DocumentRoot set for Apache. This will be the only hierarchy
(aside from UserDirs) that can be used for suEXEC behavior. The default
directory is the --datadir value with the suffix "/htdocs", e.g. if you
configure with "--datadir=/home/apache" the directory
"/home/apache/htdocs" is used as document root for the suEXEC wrapper.
I tried to explain that in my last message.
> Time for some more thought.
I posted a working httpd.conf. Why not just move your directories?
Or you can build Apache from source. That's more reading -- but it's not
that hard (no it's totally confusing until you figure it out!).
> Sidebar: I contrast this to a PHP/MySQL setup I also have where there is no
> grief like this at all!
Mike, I think you have to admit your troubles are a result of your
inexperience with this setup. The Debian package works perfectly for most
people. When you decide to change that default config you had better know
what you are doing, or else face that kind of grief.
Seems like you can be up and running by a couple of mv commands.
--
Bill Moseley moseley@hank.org
Reply to: