[CentOS-devel] Trivial mod to httpd-suexec-2.0.52-9.ent.centos4.1
Ed Clarke
clarke at cilia.org
Sun May 29 14:30:59 UTC 2005
The httpd-suexec package is part of the httpd source RPM. As part of the
security
model of suexec, a directory is hard coded into /usr/sbin/suexec
(/var/www in
Centos 4) that must be the root of all cgi-bin directories on the
system. As an
alternate, the UserDir (/home/*/public_html) may be enabled for CGI
execution -
but this is not done by default.
As a web-hosting company, we prefer to move the default cgi-bin directory to
/home/cgi-bin (and subdirectories) rather than /var/www. This permits us
to keep
all customer files on one filesystem (/home) and still use
Webmin/Usermin/Virtualmin.
This also makes it easier to enforce quota restrictions.
This is the way we add virtual systems (using cilia as an example):
mkdir /home/cgi-bin/cilia
chmod 755 /home/cgi-bin/cilia
chown cilia.cilia /home/cgi-bin/cilia
ln -s /home/cilia/cgi-bin /home/cgi-bin/cilia
This follows the security model described in
http://httpd.apache.org/docs-2.0/suexec.html
although I'm not sure why this restriction is necessary. You get some
obscure error
messages about "premature end of script headers" if you don't do this
correctly. The
real error is written to /var/log/httpd/suexec.log but takes a while to
find.
The change to make this is simple - two lines in the httpd.spec file (
could be one ):
%define cgidir /home/cgi-bin <--- added line
--with-suexec-docroot=%{cgidir} \ <--- changed line
Is this worth doing in CentosPlus? It looks like you have to recompile
all of httpd
(Apache 2.x) even though you're only changing the one file in the sub
package.
More information about the CentOS-devel
mailing list