Running CGIs under my uid - going slowly insane.
Jonathan Hogg
jonathan at onegoodidea.com
Sun Feb 3 05:17:24 EST 2002
On 2/2/2002 23:36, in article a3ht5h$2o0$0 at 216.39.172.122, "Bengt Richter"
<bokr at oz.net> wrote:
> IME, you can use ScriptAlias to set suexec cgi directories on a per-virtual
> host basis. I have one test VH running cgi out of '/', another with cgi
> directory named other than 'cgi-bin', and others from the usual '/cgi-bin',
> all running as account owner. See
>
> http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias
>
> Perhaps one path per installation applies to another version or mode of use?
The suexec binary itself would refuse to execute anything not under a
particular root directory which you supply at configure time
(--suexec-docroot=DIR). This directory is meant to be your server document
root. However if you use virtual hosting and have multiple unrelated
document roots, you're in trouble.
I've never found it to be a particularly useful security check as Apache's
own cgi restrictions are more flexible. Generally I just set it to '/' and
forget about it. Though depending on the installation I have been able to
use a more restrictive path in the past, like '/customers' or something. It
also follows symlinks so in an NFS automounted environment where you're
automounting a local directory you get stuffed again.
(This is because '/customer/bob' might be '/export/customer/bob' on the
local machine.)
Jonathan
More information about the Python-list
mailing list