On 2/14/07, Kövesdán Gábor <[EMAIL PROTECTED]> wrote:
Thanks for the detailed explanation. I'm running php as CGI now, but I've run into a strange issue. Firstly, I got this message: [2007-02-12 20:37:45]: cannot get docroot information (/usr/local/www/data) I wondered why I get this, since the DocumentRoot is different for the given VirtualHost, but I've modified the modes on this directory, and this messgae vanished. The next one was: [2007-02-12 20:39:34]: command not in docroot (/usr/local/bin/php-cgi) I see, it is not in the above directory, but why is it necessary? How can I avoid installing php there? Ok, I copied the php-cgi binary there (symlinking did not work) and the next one was: [2007-02-12 20:45:23]: target uid/gid (1003/1003) mismatch with directory (0/0) or program (1003/1003) I still can solve it by chowning php-cgi, but one issue remained: if I have e.g. 20 websites, how can I get all of them to work when it can only be chowned to one of them? Besides, the external php modules did not work for me with this solution.
You should start by carefully reading http://httpd.apache.org/docs/2.2/suexec.html But yes, this is going to be a problem. Suexec will only run binaries owned by the target user. So you can install suexec for each user (and if you do this properly, the external modules should work). Or you can look into one of the alternative suid cgi helpers like cgiwrap and suphp. They have different security models. I haven't used either of them, so I can't provide specific guidance. You can think of suexec a little bit like running things chroot'ed. It specifically forbids access to arbitrary binaries for security reasons. (Although it is not the same thing, since once suexec runs a binary, that binary can run arbitrary binaries under the permissions of the target user.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
