Hey Thanks John,
When I get a chance I will intergrate your changes into
the latest devel version.
Ken Jones
inter7
On Monday 21 July 2003 22:55, John Simpson wrote:
> howdy-
>
> i'm one of those strange people who doesn't use a "/cgi-bin/" directory on
> my web sites. however, while installing vqadmin-2.3.2, i discovered that
> the path "/cgi-bin/vqadmin/vqadmin.cgi" is pretty much hard-coded
> everywhere i look.
>
> i don't mind "/vqadmin/vqadmin.cgi", but i don't like having to type
> "/cgi-bin/" as part of the URL.
>
> therefore, i have written a patch which does the following:
>
> - in cgi.c, causes cgi_init() to store the value of the SCRIPT_NAME
> environment variable
>
> - in template.c, causes t_code() to replace the new "%-S" token with this
> value
>
> - modified the hard-coded URL's in domain.c and user.c to use this value
>
> - modified the templates to use "%-S" instead of the hard-coded URL's
>
> - fixed a spelling error ("Email Acount %s deleted") in user.c
>
> the patch itself will be found at the bottom of the following page:
>
> http://www.jms1.net/qmail/
>
> i suggest that the patch be reviewed by any interested parties,
> particularly the inter7 guys, and if appropriate i request that they be
> integrated into the next version of the vqadmin program. if any errors or
> problems are found, please post the details to this mailing list.
>
>
> another suggestion: the final installer script (the one which is executed
> as part of "make install-strip" or "make install") assumes that the web
> server's anonymous user is "nobody". it also sets the permissions of
> "vqadmin.cgi" to only be accessible to userid's which are members of
> whatever group id is attached to root in /etc/passwd.
>
> instead, the directions should have the user manually locate the correct
> group id from their apache config file:
>
> # grep -i ^group /etc/httpd/conf/httpd
> Group apache
>
> and then set the permissions for your "vqadmin.cgi" thusly:
>
> # chown root vqadmin.cgi
> # chgrp apache vqadmin.cgi
> # chmod 4110 vqadmin.cgi
>
> this way the web server's anonymous user will have permission to run the
> program (the "group execute" bit, 0010, is on) and it will still be setuid
> root (owned by root, and the "setuid" bit, 4000, is on) but other users on
> the machine which are not members of the web server's anonymous group will
> not have permission to run it.
>
> i can also see this process (finding the correct group id) being added to
> the configure script (and therefore added to the right places in the
> Makefile) with the addition of a "--with-httpd-conf=" option. however i'm
> not a wizard with configure scripts. every time i try to do anything more
> complicated than fix a spelling error i end up totally hosing it...
> therefore i'll let somebody else write this into the configure script.
>
> peace.
