Date: Wed, 1 Apr 1998 09:12:26 -0600 From: "Scot W. Hetzel" <hetzels@westbend.net> To: "Dean Hollister" <dean@odyssey.apana.org.au> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: suexec error Message-ID: <007701bd5d80$9506f4a0$c3e0d9cf@admin.westbend.net>
next in thread | raw e-mail | index | archive | help
From: Dean Hollister <dean@odyssey.apana.org.au> >On Tue, 31 Mar 1998, Travis Mikalson wrote: > >> Check out the log file that suexec creates (I set mine to >> /var/log/cgi.log) >> >> It will give you the reason that suexec terminated the cgi being wrapped >> before it could run. > >I found the cause. suexec.h had the incorrect user the server runs as. > >However, upon installing the recompiled version, all cgi ran as root - a >definite security no-no. So, I compiled the standalone version of suexec >which works correctly. > >Here is the suexec.h file for the Frontpage extensions. There _has_ to be >a bug in the header: > >[Copyright Notice snipped to conserve space] > > * > */ > >/* "FPEXE modification made on Nov 2nd 1997 by Mark Wormgoor (riddles@ipe.nl) > * > * Changes were made in order to use Suexec and Frontpage 98 at the same time. > * Instead of trying to run suid on /usr/local/frontpage/currentversion/bin/fpexe, > * we execute this so the suid-bit does all the work > */ > >/* > * suexec.h -- user-definable variables for the suexec wrapper code. > */ > > >#ifndef _SUEXEC_H >#define _SUEXEC_H > >/* > * HTTPD_USER -- Define as the username under which Apache normally > * runs. This is the only user allowed to execute > * this program. > */ >#ifndef HTTPD_USER >#define HTTPD_USER "nobody" >#endif > The files/Makefile redefines this to user "www", thus the server should be changed to run as this user in the config file. If this isn't what your server runs as then you need to change it here, before you build the port. >/* > * USERDIR_SUFFIX -- Define to be the subdirectory under users' > * home directories where suEXEC access should > * be allowed. All executables under this directory > * will be executable by suEXEC as the user so > * they should be "safe" programs. If you are > * using a "simple" UserDir directive (ie. one > * without a "*" in it) this should be set to > * the same value. suEXEC will not work properly > * in cases where the UserDir directive points to > * a location that is not the same as the user's > * home directory as referenced in the passwd file. > * > * If you have VirtualHosts with a different > * UserDir for each, you will need to define them to > * all reside in one parent directory; then name that > * parent directory here. IF THIS IS NOT DEFINED > * PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK! > * See the suEXEC documentation for more detailed > * information. > */ >#ifndef USERDIR_SUFFIX >#define USERDIR_SUFFIX "public_html" >#endif > This gets redefined to "public_html/cgi-bin" by the files/Makefile from the apache-fp port. This way all cgi programs are in one directory instead of being run from any directory under public_html. Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007701bd5d80$9506f4a0$c3e0d9cf>