You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Oleg Derevenetz <ol...@vsi.ru> on 2004/11/13 17:20:17 UTC
[users@httpd] Apache 2.0.52, suexec and user home dirs
Hi all,
I just installed Apache 2.0.52, and have some troubles with suexec setup.
OS: FreeBSD 4.10
Configure parameters:
./configure \
--with-mpm=prefork \
--enable-so \
--enable-suexec \
--with-suexec-caller=nobody \
--with-suexec-docroot=/web \
--with-suexec-uidmin=100 \
--with-suexec-gidmin=100 \
--with-suexec-safepath="/bin:/usr/bin:/usr/local/bin" \
--enable-ssl \
--enable-rewrite \
--enable-charset-lite
Suexec -V output:
# ./suexec -V
-D AP_DOC_ROOT="/web"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="nobody"
-D AP_LOG_EXEC="/usr/local/apache2/logs/suexec_log"
-D AP_SAFE_PATH="/bin:/usr/bin:/usr/local/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"
A piece of httpd.conf:
[...]
ServerRoot "/usr/local/apache2"
User nobody
Group nobody
ServerAdmin noc@vsi.ru
ServerName www.vsi.ru
UseCanonicalName Off
DocumentRoot /web/vhosting/www.vsi.ru
ScriptAlias /cgi-bin/ /web/vhosting/www.vsi.ru/cgi-bin/
<Directory "/">
Options Includes FollowSymLinks
AllowOverride AuthConfig FileInfo Indexes Limit
XBitHack On
Order Allow,Deny
Allow From All
</Directory>
<Directory "/web/users">
Options IncludesNOEXEC
AllowOverride AuthConfig FileInfo Indexes Limit
XBitHack On
Order Allow,Deny
Allow From All
php_admin_flag engine off
</Directory>
<Directory "/web/vhosting/www.vsi.ru">
AllowOverride All
php_admin_value open_basedir /web/vhosting/www.vsi.ru/
php_admin_flag safe_mode off
</Directory>
Include conf/vhosts.conf
Include conf/vusers.conf
UserDir public_html
[...]
A piece of vhosts.conf:
NameVirtualHost 80.82.32.11:80
NameVirtualHost 80.82.32.11:443
<VirtualHost "80.82.32.11:80">
ServerName admin.test.velest.ru
ServerAdmin noc@vsi.ru
DocumentRoot /web/vhosting/admin.test.velest.ru
ScriptAlias /cgi-bin/ /web/vhosting/admin.test.velest.ru/cgi-bin/
SuexecUserGroup bobrov web_bobrov
php_admin_value open_basedir /web/vhosting/admin.test.velest.ru/
</VirtualHost>
[...]
A piece of vusers.conf:
ScriptAlias /~yegor/cgi-bin/ /web/users/yegor/public_html/cgi-bin/
<Directory "/web/users/yegor">
Options Includes
php_admin_flag engine on
php_admin_value open_basedir /web/users/yegor
</Directory>
Machine have two IP addresses on Ethernet interface: 80.82.32.11 and
80.82.32.14. 80.82.32.11 is for virtualhosting and 80.82.32.14 is for
www.vsi.ru site.
The problem: when I open URL http://www.vsi.ru/~yegor/cgi-bin/gb.cgi (for
example), Apache execute it as nobody/nobody permissions instead of user
permissions, and I can't see nothing about this in suexec_log. But when I
open open URL http://admin.test.velest.ru/cgi-bin/something.cgi, it's OK.
How can I resolve this ?
---
Oleg Derevenetz <ol...@vsi.ru> OOD3-RIPE
Phone: +7 (0732) 531789
Fax: +7 (0732) 531415 http://www.vsi.ru
CenterTelecom Voronezh ISP http://isp.vsi.ru
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.0.52, suexec and user home dirs
Posted by Oleg Derevenetz <ol...@vsi.ru>.
> On Sat, 13 Nov 2004 19:20:17 +0300, Oleg Derevenetz <ol...@vsi.ru> wrote:
> > The problem: when I open URL http://www.vsi.ru/~yegor/cgi-bin/gb.cgi
(for
> > example), Apache execute it as nobody/nobody permissions instead of user
> > permissions, and I can't see nothing about this in suexec_log. But when
I
> > open open URL http://admin.test.velest.ru/cgi-bin/something.cgi, it's
OK.
>
> In 2.0, suexec will only apply the user's id if the request is handled
> by mod_userdir. In your case, you are circumventing mod_userdir by
> using ScriptAlias. That won't work.
Hm-m. But this work in 1.3. Is this a some regress ? :-)
Then, if I make some changes:
-ScriptAlias /~yegor/cgi-bin/ /web/users/yegor/public_html/cgi-bin/
<Directory "/web/users/yegor/public_html">
-Options Includes
+Options Includes ExecCGI
+AddHandler cgi-script .cgi
</Directory>
and try to execute /~yegor/test.cgi, it executes with yegor's permissions.
But if I try to execute /~yegor/cgi-bin/test.cgi, it executes with
nobody/nogroup permissions. Is this correct ? Options applies recursively to
all subdirs, isn't it ?
--
Oleg Derevenetz <ol...@vsi.ru> OOD3-RIPE
Phone: +7 (0732) 531789
Fax: +7 (0732) 531415 http://www.vsi.ru
CenterTelecom Voronezh ISP http://isp.vsi.ru
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.0.52, suexec and user home dirs
Posted by Joshua Slive <js...@gmail.com>.
On Sat, 13 Nov 2004 19:20:17 +0300, Oleg Derevenetz <ol...@vsi.ru> wrote:
> The problem: when I open URL http://www.vsi.ru/~yegor/cgi-bin/gb.cgi (for
> example), Apache execute it as nobody/nobody permissions instead of user
> permissions, and I can't see nothing about this in suexec_log. But when I
> open open URL http://admin.test.velest.ru/cgi-bin/something.cgi, it's OK.
In 2.0, suexec will only apply the user's id if the request is handled
by mod_userdir. In your case, you are circumventing mod_userdir by
using ScriptAlias. That won't work.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org