[ic] Run with suexec enabled ?

delionsweb - minivend minivend@delionsweb.net
Sat, 04 Nov 2000 14:52:38 -0500 

Hi,

I do it.
Many things to check (A friend of mine calls suexec Fascist ;-)) :
1. Check Apache error_log when started for line: [notice] suexec mechanism 
enabled (wrapper: /usr/local/Apache/bin/suexec)
Your location may be different but that does not matter as long as you KNOW 
where Apache finds it.
2. Now check /usr/local/Apache/bin/suexec (It should be 4711):
-rws--x--x    1 root     root        10872 Oct 28 14:15 
/usr/local/Apache/bin/suexec*
3. The next thing is to make sure you use a suexec_log. This is not because 
it is required but because it helps to find problems which can be VERY 
frustrating - trust me, I know!
This can be tricky because it is compiled into suexec. If you compile your 
own Apache then these configure options will be useful :
--enable-suexec --suexec-caller=httpd --suexec-docroot=/home 
--suexec-logfile=/usr/local/Apache/logs/suexec_log 
--suexec-userdir=public_html --suexec-uidmin=500 --suexec-gidmin=500
Things to note:
a. uidmin and gidmin: You have to know the values your suexec was compiled 
with!!! If shop:shop (UID:GID) is lower than 500:500 in this example then 
suexec will refuse to run scripts for shop! Make shop:shop uid:gid > 500!
b. docroot: If the shop scripts are not in sub directory of this then again 
- forget it
c. caller: For you it has to be httpd. If your suexec was compiled for 
nobody then *your* web server (user=httpd) cannot use it!
d. logfile: This is the one - we want to know where to find it!
e. I recommend downloading Apache source and compiling it JUST to get a 
good suexec in src/support. You can then copy that anywhere you want and 
throw away all the other Apache stuff!

4. Your script should NOT be suid!!! chmod 0755 <your link script> 
(/home/shop/cgi-bin/construct for example)
5. Now you can look in suexec_log when the script still does not work you 
can look for error messages like this:
error: target uid/gid (502/503) mismatch with directory (502/502) or 
program (502/502)
6. Make your shop 'root' directory (/home/shop?) and cgi-bin 
(/home/shop/cgi-bin) rwxr-xr-x (chmod 755)

Now it should work or you can find clues to make it work in suexec_log.

Good luck.

At 05:25 AM 11/4/00, you wrote:
>Any ideas , anybody knows how to do it ? or where to find how to do it ?
>I read all the documentation, but there is nothing on that.
>
>Andrei
>
>
> > Does anybody know how to make interchange when suexec is enabled ?
> >
> > I allready tried different things like putting interch in the group of
> > shopowner and in the group of  httpd , but nothing ( and the other way
> > arround also nothing)
> >
> > httpd runs as httpd:shadow
> > interch as interch:interch
> > shop as shop:shop ? (I guess)
> >
> > Thank you !
> >
> > Andrei
>
>
>
>_______________________________________________
>Interchange-users mailing list
>Interchange-users@www.minivend.com
>http://www.minivend.com/mailman/listinfo/interchange-users