You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrew Clarke <ac...@civica.com.au> on 2005/09/08 13:59:28 UTC
[users@httpd] DirectoryIndex /mybin/myindex.cgi
Hi Folks,
I'm going around in ever-tightening circles trying to get
DirectoryIndex /mybin/myindex.cgi
directive to work against a directory within UserDir (ie ~user/public_html).
The platform is SuSE 9.3 with the default installation of Apache 2.0.53. For
the record, the config files are put into /etc/apache2, the ServerRoot
is /srv/www, DocumentRoot is /srv/www/htdocs, and the ordinary CGI is
in /srv/www/cgi-bin.
Ordinary CGI is working from cgi-bin, and also from within DocumentRoot after
applying a few modest config settings. Details later.
To make the DirectoryIndex directive work, I first tried putting the script
into /srv/www/cgi-bin, and after finally getting some clues about suEXEC and
the requirement for scripts to be "under the docroot" I have tried shifting
it to a /srv/www/htdocs/mybin directory. Permissions and owners of all
directories are locked down to the necessary paranoia level described in the
Apache manual page for suEXEC - because I started to see error messages
implying suEXEC is involved.
Here are what I think is the significant configuration directives. Directives
marked with ## are ones I've tried using or commenting out.
ServerRoot /etc/apache2 # to make config files relative
DocumentRoot "/srv/www/htdocs"
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
## ScriptAlias /cgi/ "/srv/www/htdocs/cgi/"
## AddHandler cgi-script .cgi
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
-- all other Directory below are Order allow,deny; Allow from all;
<Directory "/srv/www/htdocs">
Options +Indexes +FollowSymLinks
</Directory>
<Directory "/srv/www/cgi-bin">
Options +ExecCGI
</Directory>
<Directory "/srv/www/htdocs/cgi">
Options +ExecCGI
</Directory>
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch Includes ExecCGI
DirectoryIndex /cgi/myindex.cgi
<Limit ...
<LimitExcept ...
</Directory>
Currently the myindex.cgi script is a trivial piece of Perl:
#!/usr/bin/perl
use CGI qw(:standard);
use CGI::Carp;
print header, start_html('Test CGI Index'),
"Test CGI index ", `pwd`, end_html();
When it was installed in /srv/www/cgi-bin, and invoked as
http://myhost/cgi-bin/myindex.cgi then I get the expected output.
When it was installed in /srv/www/htdocs/cgi, and invoked as
http://myhost/cgi/myindex.cgi then I get the expected output.
When I try to invoke the script via http://myhost/~username it fails.
error_log contains:
[Thu Sep 08 21:24:12 2005] [error] [client 127.0.0.1] Premature end of script
headers: myindex.cgi
and suexec.log contains:
[2005-09-08 21:24:12]: uid: (400/username) gid: (100/100) cmd: myindex.cgi
[2005-09-08 21:24:12]: command not in docroot
(/srv/www/htdocs/cgi/myindex.cgi)
and the browser shows: (slightly compressed)
Server error! The server encountered an internal error and was unable to
complete your request.
Error message: Premature end of script headers: myindex.cgi
If you think this is a server error, please contact the webmaster.
Error 500
I must be missing some essential detail, but I cannot understand what. What
does it take to make DirectoryIndex work with a CGI?
Thanks in advance,
Andrew Clarke
This email is from Civica Pty Limited and it, together with any
attachments, is confidential to the intended recipient(s) and the
contents may be legally privileged or contain proprietary and private
information. It is intended solely for the person to whom it is
addressed. If you are not an intended recipient, you may not review,
copy or distribute this email. If received in error, please notify the
sender and delete the message from your system immediately. Any views
or opinions expressed in this email and any files transmitted
with it are those of the author only and may not necessarily reflect
the views of Civica and do not create any legally binding rights or
obligations whatsoever. Unless otherwise pre-agreed by exchange of hard
copy documents signed by duly authorised representatives, contracts may
not be concluded on behalf of Civica by email. Please note that neither
Civica nor the sender accepts any responsibility for any viruses and it
is your responsibility to scan the email and the attachments (if any).
All email received and sent by Civica may be monitored to protect the
business interests of Civica.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DirectoryIndex /mybin/myindex.cgi
Posted by Andrew Clarke <ac...@civica.com.au>.
On Fri, 09 Sep 2005 11:51, Joshua Slive wrote:
>
> Just remove the suid bit from the suexec binary (or rename it) and
> then restart apache.
Will do. Now I need to find it .... looking, ok there it is. Problem solved.
Now, it looks like the script has /srv/www/cgi-bin as it's cwd. They are not
making it easy for DirectoryIndex to be useful. At least $REQUEST_URI
contains the facts I need.
> I dislike the fact that distributors activate [suexec] by default.
I dislike the fact that distributors like to follow different standards for
locations. Standards are so good; there should be more of them! RedHat in
particular stubbornly puts the document root in somewhere/html but my fingers
insist on typing cd somewhere/htdocs.
> I don't think this is a fixable issue. You can't combine global CGIs
> with userdir requests. That's part of suexec's security features.
> What you want is simply to not use suexec for these requests, but
> making an exception like that could be very dangerous.
I'm still not discounting the possibility that I've misunderstood one of
suexec's many rules for Proper Usage, but it's more important that I move on
right now. And, since I do not have a need for suexec, I can wait until there
is a need before re-examining it's issues.
Thanks for your help. I can now move on after 3 evenings wasted doing homework
on this subject. This is why I need to build toy servers; the web isn't going
to go away, so you may as well become it's master.
Cheers
PS - apologies for the stupid corporate signature. I'm working on subverting
it from my new machine.
--
corporate signatures suck.
This email is from Civica Pty Limited and it, together with any
attachments, is confidential to the intended recipient(s) and the
contents may be legally privileged or contain proprietary and private
information. It is intended solely for the person to whom it is
addressed. If you are not an intended recipient, you may not review,
copy or distribute this email. If received in error, please notify the
sender and delete the message from your system immediately. Any views
or opinions expressed in this email and any files transmitted
with it are those of the author only and may not necessarily reflect
the views of Civica and do not create any legally binding rights or
obligations whatsoever. Unless otherwise pre-agreed by exchange of hard
copy documents signed by duly authorised representatives, contracts may
not be concluded on behalf of Civica by email. Please note that neither
Civica nor the sender accepts any responsibility for any viruses and it
is your responsibility to scan the email and the attachments (if any).
All email received and sent by Civica may be monitored to protect the
business interests of Civica.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DirectoryIndex /mybin/myindex.cgi
Posted by Joshua Slive <js...@gmail.com>.
On 9/8/05, Andrew Clarke <ac...@civica.com.au> wrote:
> On Thu, 08 Sep 2005 22:58, Joshua Slive wrote:
> >
> > Interesting. I haven't looked into it in detail, but I suspect that
> > what you are trying to do is not possible with suexec activated. If
> > the request is run through mod_userdir, then it must follow the
> > user-specific suexec rules. That includes the script living under
> > /home/user/public_html and being owned by the user.
> >
> > So you have two choices:
> >
> > 1. Don't use suexec. This would be the thing to do unless you really
> > need suexec.
>
> I do not need suexec, so I'll go with this choice, thanks. Since it's a
> default SuSE install, it came along for the ride. Up until now I've built my
> toy apache's from source, but since there is some merit to using pre-built
> bundles, I decided to experience that particular joy. Now I need to delete
> suexec - is it just a matter of a config change, or do I need to rebuild from
> source? I hope the doco is clear. I'm newish to apache, despite doing UNIX
> for more years than I care to mention.
Just remove the suid bit from the suexec binary (or rename it) and
then restart apache.
The suexec docs are not that easy for newbies, but then again, suexec
isn't supposed to be used by newbies. I dislike the fact that
distributors activate it by default. Suexec can do more harm than
good to security if it isn't used intelligently.
>
> Do you think this needs to be a bug/misfeature report to the Apache teams
> then? I don't have enough in-depth knowledge to consider whether
> DirectoryIndex needs to use suexec by necessity or convenience, and whether
> there's any logical reason why it can't work, or whether it just needs more
> code throwing at it. Perhaps the codesters need to be informed?
I don't think this is a fixable issue. You can't combine global CGIs
with userdir requests. That's part of suexec's security features.
What you want is simply to not use suexec for these requests, but
making an exception like that could be very dangerous.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DirectoryIndex /mybin/myindex.cgi
Posted by Andrew Clarke <ac...@civica.com.au>.
On Thu, 08 Sep 2005 22:58, Joshua Slive wrote:
>
> Interesting. I haven't looked into it in detail, but I suspect that
> what you are trying to do is not possible with suexec activated. If
> the request is run through mod_userdir, then it must follow the
> user-specific suexec rules. That includes the script living under
> /home/user/public_html and being owned by the user.
>
> So you have two choices:
>
> 1. Don't use suexec. This would be the thing to do unless you really
> need suexec.
I do not need suexec, so I'll go with this choice, thanks. Since it's a
default SuSE install, it came along for the ride. Up until now I've built my
toy apache's from source, but since there is some merit to using pre-built
bundles, I decided to experience that particular joy. Now I need to delete
suexec - is it just a matter of a config change, or do I need to rebuild from
source? I hope the doco is clear. I'm newish to apache, despite doing UNIX
for more years than I care to mention.
Do you think this needs to be a bug/misfeature report to the Apache teams
then? I don't have enough in-depth knowledge to consider whether
DirectoryIndex needs to use suexec by necessity or convenience, and whether
there's any logical reason why it can't work, or whether it just needs more
code throwing at it. Perhaps the codesters need to be informed?
This email is from Civica Pty Limited and it, together with any
attachments, is confidential to the intended recipient(s) and the
contents may be legally privileged or contain proprietary and private
information. It is intended solely for the person to whom it is
addressed. If you are not an intended recipient, you may not review,
copy or distribute this email. If received in error, please notify the
sender and delete the message from your system immediately. Any views
or opinions expressed in this email and any files transmitted
with it are those of the author only and may not necessarily reflect
the views of Civica and do not create any legally binding rights or
obligations whatsoever. Unless otherwise pre-agreed by exchange of hard
copy documents signed by duly authorised representatives, contracts may
not be concluded on behalf of Civica by email. Please note that neither
Civica nor the sender accepts any responsibility for any viruses and it
is your responsibility to scan the email and the attachments (if any).
All email received and sent by Civica may be monitored to protect the
business interests of Civica.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DirectoryIndex /mybin/myindex.cgi
Posted by Joshua Slive <js...@gmail.com>.
On 9/8/05, Andrew Clarke <ac...@civica.com.au> wrote:
> <Directory /home/*/public_html>
> AllowOverride FileInfo AuthConfig Limit Indexes
> Options MultiViews Indexes SymLinksIfOwnerMatch Includes ExecCGI
> DirectoryIndex /cgi/myindex.cgi
> <Limit ...
> <LimitExcept ...
> </Directory>
> When it was installed in /srv/www/htdocs/cgi, and invoked as
> http://myhost/cgi/myindex.cgi then I get the expected output.
>
> When I try to invoke the script via http://myhost/~username it fails.
>
> error_log contains:
>
> [Thu Sep 08 21:24:12 2005] [error] [client 127.0.0.1] Premature end of script
> headers: myindex.cgi
>
> and suexec.log contains:
>
> [2005-09-08 21:24:12]: uid: (400/username) gid: (100/100) cmd: myindex.cgi
> [2005-09-08 21:24:12]: command not in docroot
> (/srv/www/htdocs/cgi/myindex.cgi)
Interesting. I haven't looked into it in detail, but I suspect that
what you are trying to do is not possible with suexec activated. If
the request is run through mod_userdir, then it must follow the
user-specific suexec rules. That includes the script living under
/home/user/public_html and being owned by the user.
So you have two choices:
1. Don't use suexec. This would be the thing to do unless you really
need suexec.
2. Install the script under each user's public_html directory and
owned by the user.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Writing Apache modules in Python
Posted by Nick Kew <ni...@webthing.com>.
On Thursday 08 September 2005 14:52, Devraj Mukherjee wrote:
> Hi everyone,
>
> I am a newbie to mod_python (I have programmed in Python before) and
> having trouble understanding if using mod_python or one of the related
> projectes (such as mod_snake which seems to be dea) I can actually develop
> Apache modules in Python.
Your question hinges on the definition of an apache module. mod_python
exposes some but not all of the Apache API to python scripts. So, for a
definition of modules that includes scripts, you can write some but not
all types of module.
If you want parts of the API that aren't available under mod_python, then
bug the mod_python developers with specific questions.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Writing Apache modules in Python
Posted by Craig Dunigan <cd...@doit.wisc.edu>.
Have you tried the mod_python manual?
http://www.modpython.org/live/current/doc-html/
In particular, you probably want the section titled "Python API."
--
Craig Dunigan
IS Technical Services Specialist
Middleware - EIS - DoIT
University of Wisconsin, Madison
opinions expressed are my own, not the University's
On Thu, 8 Sep 2005, Devraj Mukherjee wrote:
> Hi everyone,
>
> I am a newbie to mod_python (I have programmed in Python before) and
> having trouble understanding if using mod_python or one of the related
> projectes (such as mod_snake which seems to be dea) I can actually develop
> Apache modules in Python.
>
> I have been tossing the option of writing modules for Apache for a while
> and have been wanting to avoid C programming ;-) if I can write them in
> Python it will be my prefered way.
>
> Thanks for any insights.
>
> Devraj
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Writing Apache modules in Python
Posted by Devraj Mukherjee <lu...@eternitytechnologies.com>.
Hi everyone,
I am a newbie to mod_python (I have programmed in Python before) and
having trouble understanding if using mod_python or one of the related
projectes (such as mod_snake which seems to be dea) I can actually develop
Apache modules in Python.
I have been tossing the option of writing modules for Apache for a while
and have been wanting to avoid C programming ;-) if I can write them in
Python it will be my prefered way.
Thanks for any insights.
Devraj
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org