apache2-suexec-custom, SuexecUserGroup directive

Thu, 18 Sep 2014 09:36:28 -0700 

Hi there,

I'm trying to set up gitweb. As part of this, I'm trying to make
Apache execute the gitweb.cgi as user the 'git' (UID 1002) using
suEXEC.

To achieve this, I've:

 - installed the apache2-suexec-custom package
 - added /etc/apache2/suexec/git containing:

/srv/h1
# 

   i.e., document root is /srv/h1 and userdirs are not allowed.
 - installed the gitweb.cgi in /srv/h1
 - created a <VirtualHost> config in /etc/apache2/sites-available/h1
   like this:

<VirtualHost *:80>
    ServerName h1.my.domain
    SuexecUserGroup git git
    DocumentRoot /srv/h1
    ErrorLog  /var/log/apache2/h1.error.log
    CustomLog /var/log/apache2/h1.access.log combined
    <Directory /srv/h1>
        Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        AllowOverride All
        order allow,deny
        Allow from all
        AddHandler cgi-script cgi
        DirectoryIndex gitweb.cgi
    </Directory>
</VirtualHost>

The idea is that Apache executes the gitweb.cgi as user 'git' because
it's instructed to by the SuexecUserGroup directive. And suEXEC allows
/srv/h1/gitweb.cgi to be executed because the directory /srv/h1 is
declared as suEXEC's docroot in /etc/apache2/suexec/git, and
/etc/apache2/suexec/git is the operative configuration file because
gitweb.cgi is being executed as user 'git'.

However, when I actually try and GET / on h1.my.domain I receive
500. The Apache error log says:

suexec policy violation: see suexec log for more details

And the suexec error log says:

[2014-09-18 17:02:02]: uid: (1002/git) gid: (1002/git) cmd: gitweb.cgi
[2014-09-18 17:02:02]: command not in docroot (/srv/h1/gitweb.cgi)

Lastly, I found that I could actually make gitweb.cgi execute
successfully by altering the /etc/apache2/suexec/www-data config like
this:

/srv/h1
public_html/cgi-bin

i.e., replacing the default /var/www docroot with /srv/h1. This
implies that suEXEC is being called as www-data, and not git. Does
that sound right?

Can anyone explain what's going on here?

Thanks,
Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/85oaucx5p2.wl%richard.le...@gold.ac.uk

Reply via email to