[users@httpd] suExec & vhost problem

Tue, 08 Jul 2008 14:36:40 -0700 

Hi list,

I'm trying to set up suExec with virtual hosts, and I am either going about 
this all wrong, or I have found a bug.

Given the following vhost:

<VirtualHost *:80>
        SuexecUserGroup example.org example.org

        ScriptAlias /php5 ~/cgi-bin/php
        Action php5-cgi /php5
        AddHandler php5-cgi .php

        ServerName www.example.org
        ServerAlias example.org
        ServerAdmin [EMAIL PROTECTED]

        DocumentRoot /home/example.org/www/htdocs
        <Directory "/home/example.org/www/htdocs">
                Order allow,deny
                Allow from all
                Options Indexes FollowSymLinks
        </Directory>

        LogLevel warn
        CustomLog /home/example.org/logs/access.log combined
        ErrorLog /home/example.org/logs/error.log

        <Directory /home/example.org/cgi-bin>
                Order allow,deny
                Allow from all
        </Directory>


</VirtualHost>

and the following suExec config:

 -D AP_DOC_ROOT="/opt/ccp"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_SUEXEC_UMASK=077
 -D AP_UID_MIN=1000
 -D AP_USERDIR_SUFFIX="cgi-bin"

First I'll explain why I have this setup. /opt/ccp is a piece of software that 
allows me to control the server via http. I'd rather not move it.

The virtual hosts will obviously run as their own user, in their home 
directory (/home/tld).

The line in question is the ScriptAlias line. If I use a full path like:

ScriptAlias /php5 /home/example.org/cgi-bin/php

suExec fails saying it's outside of the docroot. I believe this is correct 
behavior, though it would be nice if suExec knew /home/example.org is the 
same as ~

Where it gets buggy is if I have it as in the example:

ScriptAlias /php5 ~/cgi-bin/php

Now suExec is happy, but Apache (incorrectly, IMO) prepends ServerRoot and 
cuts off all but the tilde. PHP scripts throw a 403 and In my log I get:

client denied by server configuration: /usr/lib64/apache2/~

I know that the normal behaviour for Apache is to prepend ServerRoot to any 
path not starting with "/", but this conflicts with the requirement of suExec 
to begin any user-owned path with ~ which is why I think it may be considered 
a bug.

Does anyone know how I can achieve this? I'm running Apache 2.2.9 on a Gentoo 
box.

Thanks,
Nick

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to