You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Joseph Lizzi <jl...@farside.rutgers.edu> on 1999/02/10 19:13:15 UTC

suexec/3871: suExec should be able to be turned on/off on a per directory basis

>Number:         3871
>Category:       suexec
>Synopsis:       suExec should be able to be turned on/off on a per directory basis
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Wed Feb 10 10:20:01 PST 1999
>Last-Modified:
>Originator:     jlizzi@farside.rutgers.edu
>Organization:
apache
>Release:        1.3.3
>Environment:
Solaris 2.6, Patch 105181-11
Multi-user system
Apache compiled with gcc 2.7.2.2
>Description:
We need to do various things with suexec. Unfortunately, I have just discovered
that it is turned ON for everything, and that there is no way to turn it OFF
on a per-directory basis. Since we allow user-CGI scripts on this server (needed
for CS class projects), having all scripts be SUID is a *bad* idea, even if the
user scripts are only accessible via a small handful of Rutgers subnets. The
solution for right now is remove the suexec binary from the apache directory.

There should be a way to either turn it off per-dirctory, or explicitly have 
to turn it ON per-directory. eg.

    Options Indexes ExecCGI (No)suExec


Also, the Question #14 in the FAQ ("Premature End of Script Headers") should
show that the message can be generated by suexec not running a CGI script. We
kept getting this error, but I couldn't figure out why, since it worked for
ScriptAlias but not user-CGIs. Turns out that suexec was failing with this
error:

  [1999-02-10 11:38:37]: uid: (jlizzi/jlizzi) gid: (users/users) cmd: test.cgi
  [1999-02-10 11:38:37]: cannot get docroot information (/ug/u2/jlizzi)


If suexec had been mentioned in the FAQ question as a possible cause, it would
have saved me a *lot* of aggravation.
>How-To-Repeat:

>Fix:
1) Add a (No)suexec option to turn suexec off/on on a per-directory basis
2) Fix FAQ question #14 to mention suexec failing to execute the CGI script
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]