You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Marty Landman <ML...@face2interface.com> on 2003/12/06 23:14:35 UTC
[users@httpd] newbie suexec quandary
I've got Apache 2.0.48 running on FreeBSD 4.8 RELEASE and have been porting
over a web application of mine. The most recent problem is that the app
which is written in Perl 5 running as a CGI doesn't always have permission
to write files to directories.
My understanding is this is a known problem because cgi's run as the id
that owns httpd which in my case is www; and that suexec is designed to let
a cgi run as the id that owns the script so that it has the appropriate
access for what it's doing.
Assuming I'm right so far, here's what I just went through:
#httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
#cd /tmp/httpd-2.0.48
#./configure --enable-suexec --with-suexec-bin=/usr/local/sbin
--with-suexec-docroot=/mnt/web/guide
#make
#make install
Then httpd -l again with the exact same results! Then tried a graceful
restart, still the same. The initial Apache install was done using the FBSD
port and this is my first time attempting to manually recompile Apache. But
I'll bet you already knew that. :)
/usr/local/apache2/logs/ is empty, the httpd-error.log had no complaints
during restart. But I notice it restarted Apache/2.0.44 (Unix) so obviously
I didn't install the newer version. Guess I'll just put on my dunce cap and
wait in the corner till someone helps straighten me out.
Marty Landman Face 2 Interface Inc 845-679-9387
Sign On Required: Web membership software for your site
Make a Website: http://face2interface.com/Home/Demo.shtml
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] newbie suexec quandary
Posted by Marty Landman <ML...@face2interface.com>.
At 04:54 AM 12/7/2003, André Malo wrote:
>Hope you've read <http://httpd.apache.org/docs-2.0/suexec.html>
Yes, as best I could. :)
>1st: you're looking for httpd in path. The default install (from vanilla) goes
>into /usr/local/apache2
Ah-hah. Please keep telling yourself "pity the poor newbie; we were all
newbies once" as you read what I have to say. I installed Apache2 from the
FreeBSD ports collection ~3 weeks ago; nice feature of the ports is I don't
have to actually know anything, guess that's also a potential 'gotcha'
feature. Now based on your advice I found things worked only not the way
I'd wanted, to wit:
Swami: /usr/local/apache2/bin/httpd -l
Compiled in modules:
[snip]
mod_suexec.c
[snip]
Swami: `which httpd` -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
>You might use either the --prefix option to configure or
>--enable-layout=FreeBSD if it matches for you.
The latter also appears to be what the port used so guess that's what I'll
use too.
>After that there should be suexec compiled in (please check out the other
>suexec options as well during the next try :-). See
><http://httpd.apache.org/docs-2.0/programs/configure.html#suexec>.
I already did - one of the problems with being a newbie is that the default
all look fine afaik now; but of course I can imagine more recompiles in my
future.
>After startup the right httpd, it should be written into the errorlog at
>startup that suexec is enabled. To actually use it, you need to specify
>for each virtualhost which is supposed to run CGIs as a different user the
>particular user and group with the following directive:
><http://httpd.apache.org/docs-2.0/mod/mod_suexec.html#suexecusergroup>
Thanks much, it's in the oven now. Will post back the results to the list
either way.
Marty Landman Face 2 Interface Inc 845-679-9387
Sign On Required: Web membership software for your site
Make a Website: http://face2interface.com/Home/Demo.shtml
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] newbie suexec quandary
Posted by André Malo <nd...@perlig.de>.
* Marty Landman <ML...@face2interface.com> wrote:
> I've got Apache 2.0.48 running on FreeBSD 4.8 RELEASE and have been porting
> over a web application of mine. The most recent problem is that the app
> which is written in Perl 5 running as a CGI doesn't always have permission
> to write files to directories.
>
> My understanding is this is a known problem because cgi's run as the id
> that owns httpd which in my case is www; and that suexec is designed to let
> a cgi run as the id that owns the script so that it has the appropriate
> access for what it's doing.
>
> Assuming I'm right so far,
Yep. (Hope you've read <http://httpd.apache.org/docs-2.0/suexec.html>)
> here's what I just went through:
You're encoutering two problems:
> #httpd -l
1st: you're looking for httpd in path. The default install (from vanilla) goes
into /usr/local/apache2. You might use either the --prefix option to
configure or --enable-layout=FreeBSD if it matches for you. (It's defined in
the config.layout file, you can "grep" for a particular layout, e.g. with:
$ perl -ne '/FreeBSD/../<\// and print' config.layout
See
http://httpd.apache.org/docs-2.0/programs/configure.html#installationdirectories
for further details.
> Compiled in modules:
> core.c
> prefork.c
> http_core.c
> mod_so.c
>
> #cd /tmp/httpd-2.0.48
> #./configure --enable-suexec --with-suexec-bin=/usr/local/sbin
> --with-suexec-docroot=/mnt/web/guide
> #make
> #make install
After that there should be suexec compiled in (please check out the other
suexec options as well during the next try :-). See
<http://httpd.apache.org/docs-2.0/programs/configure.html#suexec>.
After startup the right httpd, it should be written into the errorlog at
startup that suexec is enabled. To actually use it, you need to specify for
each virtualhost which is supposed to run CGIs as a different user the
particular user and group with the following directive:
<http://httpd.apache.org/docs-2.0/mod/mod_suexec.html#suexecusergroup>
nd
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org