You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jehan PROCACCIA <Je...@int-evry.fr> on 2006/03/08 19:18:16 UTC
[users@httpd] SuexecUserGroup command not in docroot
Hello,
I am using apache 2.0.54 on an Fedora Core 4 system.
I want to allow my users to have personnal web pages by giving them a
DNS entry and a virtual host associated whith their name, as many ISP do
... ? (is that the way they do it ?)
I want them to be able to run cgi as themself.
Here my virtuahost config:
$ cat /etc/httpd/conf.d/jehan-procaccia.conf
<VirtualHost jehan-procaccia.int-evry.fr:80>
LogLevel debug
SuexecUserGroup procacci mci
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /mci/mci/procacci/public_html
ServerName jehan-procaccia.int-evry.fr
ErrorLog logs/jehan-procaccia.int-evry.fr-error_log
CustomLog logs/jehan-procaccia.int-evry.fr-access_log common
<Directory /mci/mci/procacci/public_html/>
Options +ExecCGI
SetHandler cgi-script
</Directory>
When I go to http://jehan-procaccia.int-evry.fr/cgi/printenv.cgi I get
"500 Internal server Error", apache logs says "Premature end of script
headers: printenv.cgi" and suexec logs:
[2006-03-08 19:05:26]: uid: (14503/procacci) gid: (145/145) cmd:
printenv.cgi
[2006-03-08 19:05:26]: command not in docroot
(/mci/mci/procacci/public_html/cgi/printenv.cgi)
user's procacci homedir is /mci/mci/procacci/, systems nss do recognize
that user:
$ id procacci
uid=14503(procacci) gid=145(mci) groupes=145(mci)
the printenv.cgi is owned by the users.group and executable:
$ ls -al /mci/mci/procacci/public_html/cgi/printenv.cgi
-rwxr-xr-x 1 procacci mci 605 jan 12 16:24
/mci/mci/procacci/public_html/cgi/printenv.cgi
What is wrong ?
Thanks.
PS: at yhe end of http://httpd.apache.org/docs/2.0/suexec.html, is is said:
Hierarchy limitations
For security and efficiency reasons, all suEXEC requests must remain
within either a top-level document root for virtual host requests, or
one top-level personal document root for userdir requests. For example,
if you have four VirtualHosts configured, you would need to structure
all of your VHosts' document roots off of one main Apache document
hierarchy to take advantage of suEXEC for VirtualHosts. (Example
forthcoming.)
But I don't really understand it !, shoudl my cgi be in the root of my
homedir and not in a cgi subdir ? I tried that with no success :-(
$ suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX="public_html"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SuexecUserGroup command not in docroot
Posted by Jehan PROCACCIA <Je...@int-evry.fr>.
Joshua Slive wrote:
>On 3/8/06, Jehan PROCACCIA <Je...@int-evry.fr> wrote:
>
>
>
>>When I go to http://jehan-procaccia.int-evry.fr/cgi/printenv.cgi I get
>>"500 Internal server Error", apache logs says "Premature end of script
>>headers: printenv.cgi" and suexec logs:
>>[2006-03-08 19:05:26]: uid: (14503/procacci) gid: (145/145) cmd:
>>printenv.cgi
>>[2006-03-08 19:05:26]: command not in docroot
>>(/mci/mci/procacci/public_html/cgi/printenv.cgi)
>>
>>
>
>All requests that are handled by suexec must be for resources under
>the compiled-in AP_DOC_ROOT. (The only exception is for requests
>handled by mod_userdir, which may be under the AP_USERDIR_SUFIX
>directory of a user's home directory.)
>
>So to fix this problem you must either recompile suexec with an
>AP_DOC_ROOT that is a parent of /mci/mci/procacci/public_html/cgi/ or
>you must move your cgi script under /var/www.
>
>Joshua.
>
>
great that was it, I rebuilt apache rpm with |--with-suexec-docroot=/mci
and it works fine :-)//|
$ suexec -V
-D AP_DOC_ROOT="/mci"
http://jehan-procaccia.int-evry.fr/cgi/whoami.cgi
Thu Mar 9 10:56:42 CET 2006
J'execute en tant que : procacci
je suis reel :
je suis effectif : uid=14503(procacci) gid=145(mci) groups=145(mci)
Thanks !
On an other subject (maybe I should open an other thread ...?)
Now the virtual host logs grab all logs :-(, and not only the access/error for that virtual hosts.
logs configuration in my virtual-host "jehan-procaccia.conf"
<VirtualHost jehan-procaccia.int-evry.fr:80>
ErrorLog /mci/mci/procacci/public_html/logs/jehan-procaccia.int-evry.fr-error_log
CustomLog /mci/mci/procacci/public_html/logs/jehan-procaccia.int-evry.fr-access_log common
</VirtualHost>
In DNS I just put a second record to point to the main server IP (157.159.10.52 = main server www-public.int-evry.fr)
jehan-procaccia.int-evry.fr. 172800 IN A 157.159.10.52
http://jehan-procaccia.int-evry.fr/logs/jehan-procaccia.int-evry.fr-access_log show all log access even access for the main server config user_dir (~logins)
Global apache settings contains:
ErrorLog logs/error_log
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log combined
What I am doing wrong ? what is the best way to give access to their own personnal logs to users ?
thanks again .
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SuexecUserGroup command not in docroot
Posted by Joshua Slive <jo...@slive.ca>.
On 3/8/06, Jehan PROCACCIA <Je...@int-evry.fr> wrote:
>
> When I go to http://jehan-procaccia.int-evry.fr/cgi/printenv.cgi I get
> "500 Internal server Error", apache logs says "Premature end of script
> headers: printenv.cgi" and suexec logs:
> [2006-03-08 19:05:26]: uid: (14503/procacci) gid: (145/145) cmd:
> printenv.cgi
> [2006-03-08 19:05:26]: command not in docroot
> (/mci/mci/procacci/public_html/cgi/printenv.cgi)
>
> $ suexec -V
> -D AP_DOC_ROOT="/var/www"
All requests that are handled by suexec must be for resources under
the compiled-in AP_DOC_ROOT. (The only exception is for requests
handled by mod_userdir, which may be under the AP_USERDIR_SUFIX
directory of a user's home directory.)
So to fix this problem you must either recompile suexec with an
AP_DOC_ROOT that is a parent of /mci/mci/procacci/public_html/cgi/ or
you must move your cgi script under /var/www.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org