The httpd-suexec package is part of the httpd source RPM. As part of the security model of suexec, a directory is hard coded into /usr/sbin/suexec (/var/www in Centos 4) that must be the root of all cgi-bin directories on the system. As an alternate, the UserDir (/home/*/public_html) may be enabled for CGI execution - but this is not done by default.
As a web-hosting company, we prefer to move the default cgi-bin directory to /home/cgi-bin (and subdirectories) rather than /var/www. This permits us to keep all customer files on one filesystem (/home) and still use Webmin/Usermin/Virtualmin. This also makes it easier to enforce quota restrictions.
This is the way we add virtual systems (using cilia as an example):
mkdir /home/cgi-bin/cilia chmod 755 /home/cgi-bin/cilia chown cilia.cilia /home/cgi-bin/cilia ln -s /home/cilia/cgi-bin /home/cgi-bin/cilia
This follows the security model described in http://httpd.apache.org/docs-2.0/suexec.html although I'm not sure why this restriction is necessary. You get some obscure error messages about "premature end of script headers" if you don't do this correctly. The real error is written to /var/log/httpd/suexec.log but takes a while to find.
The change to make this is simple - two lines in the httpd.spec file ( could be one ):
%define cgidir /home/cgi-bin <--- added line
--with-suexec-docroot=%{cgidir} \ <--- changed line
Is this worth doing in CentosPlus? It looks like you have to recompile all of httpd (Apache 2.x) even though you're only changing the one file in the sub package.
On Sun, 2005-05-29 at 10:30 -0400, Ed Clarke wrote:
The httpd-suexec package is part of the httpd source RPM. As part of the security model of suexec, a directory is hard coded into /usr/sbin/suexec (/var/www in Centos 4) that must be the root of all cgi-bin directories on the system. As an alternate, the UserDir (/home/*/public_html) may be enabled for CGI execution - but this is not done by default.
As a web-hosting company, we prefer to move the default cgi-bin directory to /home/cgi-bin (and subdirectories) rather than /var/www. This permits us to keep all customer files on one filesystem (/home) and still use Webmin/Usermin/Virtualmin. This also makes it easier to enforce quota restrictions.
This is the way we add virtual systems (using cilia as an example):
mkdir /home/cgi-bin/cilia chmod 755 /home/cgi-bin/cilia chown cilia.cilia /home/cgi-bin/cilia ln -s /home/cilia/cgi-bin /home/cgi-bin/cilia
This follows the security model described in http://httpd.apache.org/docs-2.0/suexec.html although I'm not sure why this restriction is necessary. You get some obscure error messages about "premature end of script headers" if you don't do this correctly. The real error is written to /var/log/httpd/suexec.log but takes a while to find.
The change to make this is simple - two lines in the httpd.spec file ( could be one ):
%define cgidir /home/cgi-bin <--- added line
--with-suexec-docroot=%{cgidir} \ <--- changed lineIs this worth doing in CentosPlus? It looks like you have to recompile all of httpd (Apache 2.x) even though you're only changing the one file in the sub package.
I would be willing to do this if there are lots of other people who also need it that way.
If you are an ISP or other user who makes this same modification, let us know on the list. If enough people are doing it this way, I'll make the RPM for CentOSPlus and keep it in sync.
I manage systems with suexec pointing to different places - you only need to rebuild the suexec binary ... although you do need the apache devel source tree built to do it ...
Lance
-
Ed Clarke -
Johnny Hughes -
Lance Davis