suExec & vhost problem
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
suExec & vhost problem
by Bugzilla from nick@customdesigns.ca
::
Rate this Message:
Hi list,
I'm trying to set up suExec with virtual hosts, and I am either going about this all wrong, or I have found a bug. Given the following vhost: <VirtualHost *:80> SuexecUserGroup example.org example.org ScriptAlias /php5 ~/cgi-bin/php Action php5-cgi /php5 AddHandler php5-cgi .php ServerName www.example.org ServerAlias example.org ServerAdmin support@... DocumentRoot /home/example.org/www/htdocs <Directory "/home/example.org/www/htdocs"> Order allow,deny Allow from all Options Indexes FollowSymLinks </Directory> LogLevel warn CustomLog /home/example.org/logs/access.log combined ErrorLog /home/example.org/logs/error.log <Directory /home/example.org/cgi-bin> Order allow,deny Allow from all </Directory> </VirtualHost> and the following suExec config: -D AP_DOC_ROOT="/opt/ccp" -D AP_GID_MIN=100 -D AP_HTTPD_USER="apache" -D AP_LOG_EXEC="/var/log/apache2/suexec_log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_SUEXEC_UMASK=077 -D AP_UID_MIN=1000 -D AP_USERDIR_SUFFIX="cgi-bin" First I'll explain why I have this setup. /opt/ccp is a piece of software that allows me to control the server via http. I'd rather not move it. The virtual hosts will obviously run as their own user, in their home directory (/home/tld). The line in question is the ScriptAlias line. If I use a full path like: ScriptAlias /php5 /home/example.org/cgi-bin/php suExec fails saying it's outside of the docroot. I believe this is correct behavior, though it would be nice if suExec knew /home/example.org is the same as ~ Where it gets buggy is if I have it as in the example: ScriptAlias /php5 ~/cgi-bin/php Now suExec is happy, but Apache (incorrectly, IMO) prepends ServerRoot and cuts off all but the tilde. PHP scripts throw a 403 and In my log I get: client denied by server configuration: /usr/lib64/apache2/~ I know that the normal behaviour for Apache is to prepend ServerRoot to any path not starting with "/", but this conflicts with the requirement of suExec to begin any user-owned path with ~ which is why I think it may be considered a bug. Does anyone know how I can achieve this? I'm running Apache 2.2.9 on a Gentoo box. Thanks, Nick --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@... " from the digest: users-digest-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
|
| Free Forum Powered by Nabble | Forum Help |