[CentOS-devel] Trivial mod to httpd-suexec-2.0.52-9.ent.centos4.1

Sun May 29 14:30:59 UTC 2005
Ed Clarke <clarke at cilia.org>

The httpd-suexec package is part of the httpd source RPM. As part of the 
security
model of suexec, a directory is hard coded into /usr/sbin/suexec 
(/var/www in
Centos 4) that must be the root of all cgi-bin directories on the 
system. As an
alternate, the UserDir (/home/*/public_html) may be enabled for CGI 
execution -
but this is not done by default.

As a web-hosting company, we prefer to move the default cgi-bin directory to
/home/cgi-bin (and subdirectories) rather than /var/www. This permits us 
to keep
all customer files on one filesystem (/home) and still use 
Webmin/Usermin/Virtualmin.
This also makes it easier to enforce quota restrictions.

This is the way we add virtual systems (using cilia as an example):

mkdir /home/cgi-bin/cilia
chmod 755 /home/cgi-bin/cilia
chown cilia.cilia /home/cgi-bin/cilia
ln -s /home/cilia/cgi-bin /home/cgi-bin/cilia

This follows the security model described in 
http://httpd.apache.org/docs-2.0/suexec.html
although I'm not sure why this restriction is necessary. You get some 
obscure error
messages about "premature end of script headers" if you don't do this 
correctly.  The
real error is written to /var/log/httpd/suexec.log but takes a while to 
find.


The change to make this is simple - two lines in the httpd.spec file ( 
could be one ):

%define cgidir /home/cgi-bin               <--- added line

        --with-suexec-docroot=%{cgidir} \   <--- changed line

Is this worth doing in CentosPlus?  It looks like you have to recompile 
all of httpd
(Apache 2.x) even though you're only changing the one file in the sub 
package.