[CentOS-devel] Trivial mod to httpd-suexec-2.0.52-9.ent.centos4.1

Thu Jun 2 22:14:31 UTC 2005
Lance Davis <lance at uklinux.net>

I manage systems with suexec pointing to different places - you only need 
to rebuild the suexec binary ... although you do need the apache devel 
source tree built to do it ...

Lance

-- 
uklinux.net - 
The ISP of choice for the discerning Linux user. 
-------------- next part --------------
On Sun, 2005-05-29 at 10:30 -0400, Ed Clarke wrote:
> The httpd-suexec package is part of the httpd source RPM. As part of the 
> security
> model of suexec, a directory is hard coded into /usr/sbin/suexec 
> (/var/www in
> Centos 4) that must be the root of all cgi-bin directories on the 
> system. As an
> alternate, the UserDir (/home/*/public_html) may be enabled for CGI 
> execution -
> but this is not done by default.
> 
> As a web-hosting company, we prefer to move the default cgi-bin directory to
> /home/cgi-bin (and subdirectories) rather than /var/www. This permits us 
> to keep
> all customer files on one filesystem (/home) and still use 
> Webmin/Usermin/Virtualmin.
> This also makes it easier to enforce quota restrictions.
> 
> This is the way we add virtual systems (using cilia as an example):
> 
> mkdir /home/cgi-bin/cilia
> chmod 755 /home/cgi-bin/cilia
> chown cilia.cilia /home/cgi-bin/cilia
> ln -s /home/cilia/cgi-bin /home/cgi-bin/cilia
> 
> This follows the security model described in 
> http://httpd.apache.org/docs-2.0/suexec.html
> although I'm not sure why this restriction is necessary. You get some 
> obscure error
> messages about "premature end of script headers" if you don't do this 
> correctly.  The
> real error is written to /var/log/httpd/suexec.log but takes a while to 
> find.
> 
> 
> The change to make this is simple - two lines in the httpd.spec file ( 
> could be one ):
> 
> %define cgidir /home/cgi-bin               <--- added line
> 
>         --with-suexec-docroot=%{cgidir} \   <--- changed line
> 
> Is this worth doing in CentosPlus?  It looks like you have to recompile 
> all of httpd
> (Apache 2.x) even though you're only changing the one file in the sub 
> package.

I would be willing to do this if there are lots of other people who also
need it that way.

If you are an ISP or other user who makes this same modification, let us
know on the list.  If enough people are doing it this way, I'll make the
RPM for CentOSPlus and keep it in sync.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20050602/8aa4c8b0/attachment-0006.sig>
-------------- next part --------------
_______________________________________________
CentOS-devel mailing list
CentOS-devel at centos.org
http://lists.centos.org/mailman/listinfo/centos-devel