apache2-suexec-custom, SuexecUserGroup directive
Hi there,
I'm trying to set up gitweb. As part of this, I'm trying to make
Apache execute the gitweb.cgi as user the 'git' (UID 1002) using
suEXEC.
To achieve this, I've:
- installed the apache2-suexec-custom package
- added /etc/apache2/suexec/git containing:
/srv/h1
#
i.e., document root is /srv/h1 and userdirs are not allowed.
- installed the gitweb.cgi in /srv/h1
- created a <VirtualHost> config in /etc/apache2/sites-available/h1
like this:
<VirtualHost *:80>
ServerName h1.my.domain
SuexecUserGroup git git
DocumentRoot /srv/h1
ErrorLog /var/log/apache2/h1.error.log
CustomLog /var/log/apache2/h1.access.log combined
<Directory /srv/h1>
Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
AllowOverride All
order allow,deny
Allow from all
AddHandler cgi-script cgi
DirectoryIndex gitweb.cgi
</Directory>
</VirtualHost>
The idea is that Apache executes the gitweb.cgi as user 'git' because
it's instructed to by the SuexecUserGroup directive. And suEXEC allows
/srv/h1/gitweb.cgi to be executed because the directory /srv/h1 is
declared as suEXEC's docroot in /etc/apache2/suexec/git, and
/etc/apache2/suexec/git is the operative configuration file because
gitweb.cgi is being executed as user 'git'.
However, when I actually try and GET / on h1.my.domain I receive
500. The Apache error log says:
suexec policy violation: see suexec log for more details
And the suexec error log says:
[2014-09-18 17:02:02]: uid: (1002/git) gid: (1002/git) cmd: gitweb.cgi
[2014-09-18 17:02:02]: command not in docroot (/srv/h1/gitweb.cgi)
Lastly, I found that I could actually make gitweb.cgi execute
successfully by altering the /etc/apache2/suexec/www-data config like
this:
/srv/h1
public_html/cgi-bin
i.e., replacing the default /var/www docroot with /srv/h1. This
implies that suEXEC is being called as www-data, and not git. Does
that sound right?
Can anyone explain what's going on here?
Thanks,
Richard
Reply to: