> Can anyone explain to me the restriction on where I can place cgi > scripts if suExec is being used with apache? As best as I can > understand, all cgi scripts must be contained under the *global* > DocumentRoot in order for suExec to run them. This means that when I > have a setup like
cgi's go in exactly the same place they would go if you weren't running suexec. > DocumentRoot /var/www > > <VirtualHost my.ip.address> > ServerName my.virtualhost.com > DocumentRoot /usr/local/share/virtualhost > ScriptAlias /cgi-bin/ /usr/local/share/virtualhost/cgi-bin/ > User vhostusr > Group vhostgrp > </VirtualHost> > > Then requests to any cgi script within > http://my.virtualhost.com/cgi-bin/ will fail with an internal server > error, claiming that the command is "not in the docroot". given the above setup your cgi's should go into /usr/local/share/virtualhost/cgi-bin/. one thing that you need to change is that suexec takes care of the 'scriptalias' part. you don't need that. if you want a url like /cgi-bin/ to work then you can use the 'alias' directive the the 'scriptalias' is at least unnecessary and may break things. > Why do I have to completely rearrange my directory structure just to get > suExec to work? All cgi scripts in user home directories fail under this > setup because /home/username is not under /var/www (and any page > accessed using ~username automatically triggers suExec). in our setup /web/docs is the main doc root and ~user/www is the document root for all other virtual domains. suexec works in this setup just fine. > The obvious workaround is to set DocumentRoot to /, but I can't think of > a more crazily insecure option. that is *NOT* a good idea. > Does anyone have any suggestions? It seems to me that suExec should be > seeing whether the command is in the documentroot *for this virtual > host*... and I don't understand why it isn't doing that. the way you think it should work *is* the way it works, something else is going wrong. adam.
