I manage systems with suexec pointing to different places - you only need to rebuild the suexec binary ... although you do need the apache devel source tree built to do it ... Lance -- uklinux.net - The ISP of choice for the discerning Linux user. -------------- next part -------------- On Sun, 2005-05-29 at 10:30 -0400, Ed Clarke wrote: > The httpd-suexec package is part of the httpd source RPM. As part of the > security > model of suexec, a directory is hard coded into /usr/sbin/suexec > (/var/www in > Centos 4) that must be the root of all cgi-bin directories on the > system. As an > alternate, the UserDir (/home/*/public_html) may be enabled for CGI > execution - > but this is not done by default. > > As a web-hosting company, we prefer to move the default cgi-bin directory to > /home/cgi-bin (and subdirectories) rather than /var/www. This permits us > to keep > all customer files on one filesystem (/home) and still use > Webmin/Usermin/Virtualmin. > This also makes it easier to enforce quota restrictions. > > This is the way we add virtual systems (using cilia as an example): > > mkdir /home/cgi-bin/cilia > chmod 755 /home/cgi-bin/cilia > chown cilia.cilia /home/cgi-bin/cilia > ln -s /home/cilia/cgi-bin /home/cgi-bin/cilia > > This follows the security model described in > http://httpd.apache.org/docs-2.0/suexec.html > although I'm not sure why this restriction is necessary. You get some > obscure error > messages about "premature end of script headers" if you don't do this > correctly. The > real error is written to /var/log/httpd/suexec.log but takes a while to > find. > > > The change to make this is simple - two lines in the httpd.spec file ( > could be one ): > > %define cgidir /home/cgi-bin <--- added line > > --with-suexec-docroot=%{cgidir} \ <--- changed line > > Is this worth doing in CentosPlus? It looks like you have to recompile > all of httpd > (Apache 2.x) even though you're only changing the one file in the sub > package. I would be willing to do this if there are lots of other people who also need it that way. If you are an ISP or other user who makes this same modification, let us know on the list. If enough people are doing it this way, I'll make the RPM for CentOSPlus and keep it in sync. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20050602/8aa4c8b0/attachment-0006.sig> -------------- next part -------------- _______________________________________________ CentOS-devel mailing list CentOS-devel at centos.org http://lists.centos.org/mailman/listinfo/centos-devel