You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by fe...@crowfix.com on 2002/04/15 02:08:27 UTC

Re: Trouble with suexec and apache 2.0.35 -- More

Sorry about the confusion.  I don't like ~/public_html, I have always
put personal areas under /home/www/.  my login home dir is
/home/felix, the personal www root is /home/www/felix/.  Under there
are cgi-bin, htdocs, fcgi, etc.

This has worked under 1.* for as long as I can remember, back to 1995
or so I think.  It works for 2.0.35 EXCEPT for suexec.  The logged
complaint in the errors log file is

[2002-04-14 13:54:57]: uid: (501/felix) gid: (100/100) cmd: delwww
[2002-04-14 13:54:57]: command not in docroot (/home/www/felix/cgi-bin/delwww)

The compile time suexec config options were

--enable-suexec
--with-suexec-bin=/usr/local/apache/sbin/suexec
--with-suexec-caller=www
--with-suexec-userdir=/home/www
--with-suexec-docroot=/usr/local/apache/share/htdocs
--with-suexec-uidmin=500
--with-suexec-gidmin=100
--with-suexec-logfile=/usr/local/apache/var/log/suexec.log

The suexec -V output is

 -D AP_DOC_ROOT="/usr/local/apache/share/htdocs"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www"
 -D AP_LOG_EXEC="/usr/local/apache/var/log/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=500
 -D AP_USERDIR_SUFFIX="/home/www"

The httpd.conf directives are

UserDir /home/www/*

<Directory /home/www/*>
    AllowOverride AuthConfig FileInfo Indexes Limit
    Order deny,allow
    Deny from all
    Allow from 192.168.1 216.240.38.152/29 207.159.47
</Directory>

<Directory /home/www/*/cgi-bin>
    AllowOverride AuthConfig
    Options ExecCGI FollowSymLinks
    Order deny,allow
    Deny from all
    Allow from 192.168.1 216.240.38.152/29 207.159.47
    SetHandler cgi-script
</Directory>

This is unchanged from 1.3.20.  I can stop 2.0.35 and start 1.3.20 and
everything works fine.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache 2.0.35 suexec -- bug on file already

Posted by fe...@crowfix.com.

OK, no more complaints from me :-) someone has already reported the
exact same symptoms and cause -- (#7810)

	http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7810

So for now I'll either make up a dummy suexec wrapper workaround, or
revert back to 1.3.  I think it should not be a difficult bug to fix,
but it would take someone who knows the internals and change history
to know the right way to fix it.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Apache 2.0.35 suexec -- more investigation

Posted by fe...@crowfix.com.

I wrote a little dummy program which prints out its command line args
to a file and exits with an error code.  I substituted this for the
real sbin/suexec under both 1.3.20 and 2.0.35.  I think there is
definitely a bug, so I'll send email to some developer's list, I
guess.

Under 1.3.20, these are the args passed to suexec:

	argv = (/usr/local/apache/sbin/suexec)
	argv = (~felix)
	argv = (users)
	argv = (delwww)

Here is what 2.0.35 passes to suexec:

	argv = (/usr/local/apache/sbin/suexec)
	argv = (501)
	argv = (100)
	argv = (delwww)
	argv = (delwww)

The new apache goes out of its way to send the uid and gid, not the
names.  Suexec itself is hardly changed from 1.3.20 to 2.0.35, so
there's a lack of communication here.  Suexec.c expecially looks to
see if the user arg begins with a tilder, in which case it uses
suexec-uderdir instead of suexec-docroot.

For now, I'm back to 1.3.20.  I'll let you know of anything else I
find out.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Trouble with suexec and apache 2.0.35 -- More

Posted by Roger Williams <ro...@roger.jp>.

--with-suexec-userdir=public_html is what i meant to say
not --with-suexec-userdir=/home/www/felix/public_html  in case I wasnt
clear.  this way all users can use their public_html to server webpages and
execute scripts.

Roger

-----Original Message-----
From: felix@crowfix.com [mailto:felix@crowfix.com]
Sent: Sunday, April 14, 2002 11:04 PM
To: users@httpd.apache.org; Hasanuddin Tamir
Subject: Re: Trouble with suexec and apache 2.0.35 -- More


>>In article <Pi...@shinchan.trabas.com>,
Hasanuddin Tamir <sa...@trabas.com> writes:

>> The compile time suexec config options were
>>
>> --enable-suexec
>> --with-suexec-bin=/usr/local/apache/sbin/suexec
>> --with-suexec-caller=www
>> --with-suexec-userdir=/home/www

> The value of this option is the directory where the common directory for
> the users to keep their stuff, to be called with tilde in URL. The
> /home/www should be supplied for --with-suexec-docroot instead

>> --with-suexec-docroot=/usr/local/apache/share/htdocs

> All programs must be somewhere under this directory if the scripts are
> supposed to be called via VH. delwww is obviously out of there.

Not that I can see.  This same configuration (well, modified as
necessary for the change from 1.3 to 2.) works fine under 1.3.20.
Delwww is not under DocRoot and hasn't been since my first Apache
setups back around 1995 or so.  UserDir is a perfectly good place for
delwww.

Now maybe I am compiling with some bad configuration parameters, and
I'd sure like to know what, but --with-suexec-docroot is not the only
possible location.  There's also --with-suexec-userdir.

--
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license
#4933
I've found a solution to Fermat's Last Theorem but I see I've run out of
room o

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Trouble with suexec and apache 2.0.35 -- More

Posted by Roger Williams <ro...@roger.jp>.

My 2 cents worth,

  --with-suexec-userdir should be the directory under the users home dir
where he can execute scripts.  So in the dir /home/www/  there is the home
dir of felix (/home/www/felix)   in there is a folder (his apache doc root)
public_html (/home/www/felix/public_html) this should
be --with-suexec-userdir  it is the dir UNDER the user home that suexec can
execute scripts.  Thats how i do it anyway..... and I have some 5000 clients
on 7 machines.

Roger

-----Original Message-----
From: felix@crowfix.com [mailto:felix@crowfix.com]
Sent: Sunday, April 14, 2002 11:04 PM
To: users@httpd.apache.org; Hasanuddin Tamir
Subject: Re: Trouble with suexec and apache 2.0.35 -- More


>>In article <Pi...@shinchan.trabas.com>,
Hasanuddin Tamir <sa...@trabas.com> writes:

>> The compile time suexec config options were
>>
>> --enable-suexec
>> --with-suexec-bin=/usr/local/apache/sbin/suexec
>> --with-suexec-caller=www
>> --with-suexec-userdir=/home/www

> The value of this option is the directory where the common directory for
> the users to keep their stuff, to be called with tilde in URL. The
> /home/www should be supplied for --with-suexec-docroot instead

>> --with-suexec-docroot=/usr/local/apache/share/htdocs

> All programs must be somewhere under this directory if the scripts are
> supposed to be called via VH. delwww is obviously out of there.

Not that I can see.  This same configuration (well, modified as
necessary for the change from 1.3 to 2.) works fine under 1.3.20.
Delwww is not under DocRoot and hasn't been since my first Apache
setups back around 1995 or so.  UserDir is a perfectly good place for
delwww.

Now maybe I am compiling with some bad configuration parameters, and
I'd sure like to know what, but --with-suexec-docroot is not the only
possible location.  There's also --with-suexec-userdir.

--
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license
#4933
I've found a solution to Fermat's Last Theorem but I see I've run out of
room o

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Trouble with suexec and apache 2.0.35 -- More

Posted by fe...@crowfix.com.

>>In article <Pi...@shinchan.trabas.com>, Hasanuddin Tamir <sa...@trabas.com> writes:

>> The compile time suexec config options were
>> 
>> --enable-suexec
>> --with-suexec-bin=/usr/local/apache/sbin/suexec
>> --with-suexec-caller=www
>> --with-suexec-userdir=/home/www

> The value of this option is the directory where the common directory for
> the users to keep their stuff, to be called with tilde in URL. The
> /home/www should be supplied for --with-suexec-docroot instead

>> --with-suexec-docroot=/usr/local/apache/share/htdocs

> All programs must be somewhere under this directory if the scripts are
> supposed to be called via VH. delwww is obviously out of there.

Not that I can see.  This same configuration (well, modified as
necessary for the change from 1.3 to 2.) works fine under 1.3.20.
Delwww is not under DocRoot and hasn't been since my first Apache
setups back around 1995 or so.  UserDir is a perfectly good place for
delwww.

Now maybe I am compiling with some bad configuration parameters, and
I'd sure like to know what, but --with-suexec-docroot is not the only
possible location.  There's also --with-suexec-userdir.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Trouble with suexec and apache 2.0.35 -- More

Posted by Hasanuddin Tamir <sa...@trabas.com>.

On Sun, 14 Apr 2002, felix@crowfix.com <fe...@crowfix.com> wrote,

> Sorry about the confusion.  I don't like ~/public_html, I have always
> put personal areas under /home/www/.  my login home dir is
> /home/felix, the personal www root is /home/www/felix/.  Under there
> are cgi-bin, htdocs, fcgi, etc.

How'd you like to have the URL for the users' personal page, if you don't
like http://www.domain.com/~felix. You want virtual host? Or, mod_rewrite,
perhaps?

> This has worked under 1.* for as long as I can remember, back to 1995
> or so I think.  It works for 2.0.35 EXCEPT for suexec.  The logged
> complaint in the errors log file is
>
> [2002-04-14 13:54:57]: uid: (501/felix) gid: (100/100) cmd: delwww
> [2002-04-14 13:54:57]: command not in docroot (/home/www/felix/cgi-bin/delwww)

This error has something to do with the --with-suexec-docroot.

> The compile time suexec config options were
>
> --enable-suexec
> --with-suexec-bin=/usr/local/apache/sbin/suexec
> --with-suexec-caller=www
> --with-suexec-userdir=/home/www

The value of this option is the directory where the common directory for
the users to keep their stuff, to be called with tilde in URL. The
/home/www should be supplied for --with-suexec-docroot instead

> --with-suexec-docroot=/usr/local/apache/share/htdocs

All programs must be somewhere under this directory if the scripts are
supposed to be called via VH. delwww is obviously out of there.


-- 
san->http(www.trabas.com)
{If Linux doesn't have solution, you have the wrong problem}



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org