Hi Chris, > I'm no Perl expert. Is there something we should be looking at that > would have this script (in his web/cgi-bin directory) execute as the > vsite user rather than Apache?
There is no easy answer to this other than: At this time on 5209R we do have no way of executing Perl scripts under other UID/GIDs than "apache". On Apache 2.0 (5106R) and Apache 2.2 (5x07R/5x08R) we use CGIWrap in order to run Perl scripts with the UID/GID of the Vsite. Until now I have been unable to get CGIWrap (even the latest 4.1) running on 5209R. Well, there is also "SUEXEC", a method for exactly this which is built in into Apache 2.4. According to the Apache docs something like this inside a VirtualHost container should suffice: SuexecUserGroup s1_admin site1 But it doesn't, even if SUEXEC is on - which it is by default: [root@5209r web]# grep suexec /var/log/httpd/error_log [Mon Jun 26 11:53:46.584880 2017] [suexec:notice] [pid 22883] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) We just get a generic error message then for *any* Perl script, even if it worked before w/o SuexecUserGroup defined: [cgi:error] [pid 29815] [client XXXX:45100] End of script output before headers: test.pl The reason being this: [root@5209r web]# suexec -V -D AP_DOC_ROOT="/var/www" <--- This one! -D AP_GID_MIN=100 -D AP_HTTPD_USER="apache" -D AP_LOG_SYSLOG -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX="public_html" The "suexec" binary on CentOS 7 has been compiled with a hard-coded Apache DocumentRoot of /var/www/ and our Perl scripts reside with the rest of the Vsites under /home/sites instead. Hence we're not allowed to use anything "suexec" related. And "suexec" is part of the "httpd" RPM, so this would mean recompiling Apache and providing it out of the BlueOnyx YUM repos. Where to go from here? ======================= apache2-suexec-custom: Debian and Ubuntu have the same problem and solve this by providing an alternative suexec mechanism called "apache2-suexec-custom". I haven't been able yet to port this to CentOS 7 and am still looking into it. CGIWrap: I haven't given up on this yet, but as of now I haven't yet managed to get it working. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx