On Thu, 19 Jun 2003 14:05:34 +0800, [EMAIL PROTECTED] (Eugene Geldenhuys) wrote:
>Hi > >Okay, I read the words, but I'm not sure that I fully understand the solution - >correct me if I'm >wrong: > >I configure apache with virtual hosts, this in the httpd.conf: >NameVirtualHost 192.168.0.3:80 >NameVirtualHost 192.168.0.3:4555 >As mentioned previously, suexec -V gives: > -D AP_DOC_ROOT="/var/www" > -D AP_GID_MIN=500 > -D AP_HTTPD_USER="apache" > -D AP_LOG_EXEC="/var/log/httpd/suexec.log" > -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" > -D AP_UID_MIN=500 > -D AP_USERDIR_SUFFIX="public_html" > >so the user and group admin would be uid & gid > 500 and the binaries would all need >to be >located in the /usr/local/bin, /usr/bin or /bin directories. >Am I missing anything? (apart from my mind, that went long ago!!) I'm not sure I follow all you are saying, but I get the feeling you don't understand what suexec is for. suexec is for running cgi scripts in user's home directory public_html/cgi-bin directories. It shouldn't even do anything for scripts run out of the main cgi-bin under server-root. When suexec is running, any cgi-script run out of /home/user/public_html/cgi-bin must have the UID and GID of the owner of the home directory. Suexec will then allow the cgi-scripts to be run as user/group instead of nobody/nogroup. This has some advantages. You can make you homedirs mode 700 instead of 755. More importantly, you can make directories, which are writable by remote users calling your cgi script, at mode 700. Usually "world-writable" directories have to be mode 777, because the apache user is nobody/nogroup. There are alot of fine points to this, but that is the basics. There are many who feel it is too dangerous to let remote users, call cgi scripts as a system user, and prefer to disable suexec (by removing /usr/sbin/suexec), and force the apache daemon to run as nobody/nogroup even in the home directories. As one example of why suexec can be useful, think of a multi-user server. If you had a public_html/cgi-bin/subdir that was mode 777, any user on the system, could tamper with it. Mode 700 with suexec prevents that problem. I think you may be confusing "suexec" with "cgiwrap", which do 2 different things, although are similar. You might want to look at cgiwrap. The "safe_path" directories listed above, are the PATH for the scripts, when you try to call system or exec from them. It is not where you put the cgi scripts. If you wanted to use suexec with "virtual servers" , you would have to setup each virtual server with it's own home directory and public_html. It can be done. I hope that sheds some light. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
