[users@httpd] What's the best route?

[Gary Wilson <gw...@plus.net>]

Hello all!

I am trying to work out what the best method is to achieve CGI scripts
being executed by the UID of the user who owns the script rather than
have all scripts acessable from the main apache user.  This solution is
to host many hundreds of customers, and I want to use mod_rewrite and
maps to do mass hosting WITHOUT hundreds of VirtualHosts in the apache
config.  Now, I already have a platform created which uses mod_rewrite
in this way, but all scripts are run by the apache user, and naturally
it means users need insecure directory permissions if they want the
apache process to write files, leaving security a lot to be desired -
hence the need to have a similar platform, but the scripts, directories
etc are all owned by the individual users.

I have been researching for days, and have no working solution -
mod_suexec seems not to allow me to do what I want as it relies on 
certain directives within individual VirtualHosts.  Next I looked at
cgiwrap, but I don't seem to be able to get it to do what I want; the
documentation isn't particularly clear for me in how it actually works -
but it seems I need to have a central location for scripts for it to
work (or at least all user script directories under one central cgiwrap
directory), which may or may not be useful to me if I could understand
it a little better.

Here is my situation:

All users have a domain cgi.username.mydomain
All users have their directories under a tree of home directories e.g.

/files/home1/fred
/files/home2/gurt
/files/home3/mons
/files/home1/paulw

under which, each has a cgi-bin directory for their scripts (static
content is allowed in the top level of each user's directory)
etc

A username -> directory map exists for the rewrite engine to map to the
correct place on the filesystem

My experience of cgiwrap has resulted in wierd errors when using a
single virtualhost as a test (cannot find user cgi-bin in passwd file) -
which I think is as a result of me not clearly understanding how it
expects me to use the program, or in the case of using a rewrite engine,
nothing happens at all - cgi scripts are getting executed by the apache
user as before - again, this is possibly down to not having a 100% firm 
grasp of how it expects me to run.

Can anyone suggest the best method to achieve the kind of setup I am
describing above - are there other alternatives to cgiwrap for general 
CGI execution (I am aware su_php may help me on the php specific angle
of hosting)?

If cgiwrap is the best way forward, can anyone help me figure out
exactly how to use cgiwrap to achieve what I need, or if that isn't
workable, to suggest how to re-arrange what I need to be more cgi-wrap 
complient?

I appreciate your efforts in wading through this post :-)

If you need any more info, just yell - in the mean time, I'm going to 
keep prodding away with CGI wrap trying to figure out exactly what it
expects.

Im case it helps, I am using Apache 2.0.53, and cgi-wrap 3.9 with the 
following build options:

./configure --with-perl=/usr/bin/perl --with-local-doc-url=/usr/doc/cgi
--with-install-dir=/local/apache/cgi-bin/ --with-httpd-user=nobody
--with-minimum-uid=100 --with-minimum-gid=100
--with-logging-file=/local/apache/logs/cgiwrap.log
--with-setenv-path=/bin:/usr/bin:/usr/local/bin -with-rlimit-cpu=120
--with-rlimit-fsize=536870912
--with-allow-file=/local/apache/conf/cgiwrap.allow
--with-deny-file=/local/apache/conf/cgiwrap.deny

Thanks :)

Gary Wilson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org