[CentOS-devel] Trivial mod to httpd-suexec-2.0.52-9.ent.centos4.1

Johnny Hughes mailing-lists at hughesjr.com
Sun May 29 14:44:03 UTC 2005


On Sun, 2005-05-29 at 10:30 -0400, Ed Clarke wrote:
> The httpd-suexec package is part of the httpd source RPM. As part of the 
> security
> model of suexec, a directory is hard coded into /usr/sbin/suexec 
> (/var/www in
> Centos 4) that must be the root of all cgi-bin directories on the 
> system. As an
> alternate, the UserDir (/home/*/public_html) may be enabled for CGI 
> execution -
> but this is not done by default.
> 
> As a web-hosting company, we prefer to move the default cgi-bin directory to
> /home/cgi-bin (and subdirectories) rather than /var/www. This permits us 
> to keep
> all customer files on one filesystem (/home) and still use 
> Webmin/Usermin/Virtualmin.
> This also makes it easier to enforce quota restrictions.
> 
> This is the way we add virtual systems (using cilia as an example):
> 
> mkdir /home/cgi-bin/cilia
> chmod 755 /home/cgi-bin/cilia
> chown cilia.cilia /home/cgi-bin/cilia
> ln -s /home/cilia/cgi-bin /home/cgi-bin/cilia
> 
> This follows the security model described in 
> http://httpd.apache.org/docs-2.0/suexec.html
> although I'm not sure why this restriction is necessary. You get some 
> obscure error
> messages about "premature end of script headers" if you don't do this 
> correctly.  The
> real error is written to /var/log/httpd/suexec.log but takes a while to 
> find.
> 
> 
> The change to make this is simple - two lines in the httpd.spec file ( 
> could be one ):
> 
> %define cgidir /home/cgi-bin               <--- added line
> 
>         --with-suexec-docroot=%{cgidir} \   <--- changed line
> 
> Is this worth doing in CentosPlus?  It looks like you have to recompile 
> all of httpd
> (Apache 2.x) even though you're only changing the one file in the sub 
> package.

I would be willing to do this if there are lots of other people who also
need it that way.

If you are an ISP or other user who makes this same modification, let us
know on the list.  If enough people are doing it this way, I'll make the
RPM for CentOSPlus and keep it in sync.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.centos.org/pipermail/centos-devel/attachments/20050529/3e620a75/attachment.bin


More information about the CentOS-devel mailing list