You're trying to get CGI scripting to work on Apache from a user's home directory, and you're having problems. You may even be plagued by this error:
This article can help you past this problem, though it does assume you are at least familiar with basic Apache configuration concepts.
junk.pl #!/usr/bin/perl print "Content-type: text/html\n\n"; print "<html><body><h1>Hello World</h1></body></html>\n";
Enter $ where perl and edit the above script to use that path instead.
<Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS PROPFIND> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS PROPFIND> Order deny,allow Deny from all </LimitExcept> </Directory>
For example, the line above would become:
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI
This simply lets Apache know that anything in the /home/*/public_html directory is allowed to run CGI programs.
Next, we have to tell Apache what handler to use for various cgi extensions. Find a line that looks like this: AddHandler cgi-script .cgi
This line says, "if you see a .cgi program, then invoke the cgi-script handler." We need to add other extensions. Modify the line to read: AddHandler cgi-script .cgi .pl
You can also append other extensions like .sh, .py, and so forth.
If you want to have default index.html-like files that are really CGI, then you'll also need to modify another directive. Look for this:
DirectoryIndex index.html
This lists, in order from left to right, the default filenames to try if none is specified. Change it to something like this: DirectoryIndex index.cgi index.html
You may also want to add index.pl, index.py, index.sh, etc. PHP users may want index.php, and Microsoft users may want index.htm which is different from index.html on Unix.
Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
[notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
It will, whenever Apache is started.
In the above example, the suexec program is located at /usr/local/apache/bin/suexec, your location may vary.
Where should your copy be? Execute this command to find out (the part you're looking for is the response highlighted below):
The correct permissions are:
# chown root suexec
# chgrp root suexec
# chmod 4711 suexec
The advantages to using method #2 are two fold. First of all, the user can't access files accessable by the web server (such as .php files with database passwords in them), and secondly the user's scripts are capable of accessing files the web server might not normally have permission to access. Note, however, there are a pile of preconditions that must be met before this will work. Violate any one of them and you'll get a 550 error.
The Apache developers have listed all of these preconditions and installation steps in the document:
suexec must be run by the web server account. How does it know which one that is? You edit a #define in its suexec.h file before compiling. It default to www, but I was using web.
Note, suexec can not run as root, which means your web server can not run as root. (Nor should it, especially if you are security concious.)
There are a lot of other options, such as the mortal user account's UID number must be over a specified value (so people can't hack a system account). Most of your accounts in /etc/passwd will have low numbers for system tasks, and much larger numbers for real people. Same for GIDs.
Once I did this, suexec was writing a more descript file in cgi.log about failures.
The cgi.log file was more than happy to point this out:
info: (target/actual) uid: (wls/wls) gid: (users/users) cmd: junk.pl
error: target uid/gid (503/100) mismatch with directory (503/300) or program (503/100)
Note that all three of these values didn't match. Fix 'em, and you're set.
The problem is that if you physically login to the web server account, you get the UID/GID of the web server and any additional groups listed in /etc/group. This is not the case when one uses the User and Group directives in httpd.conf.
The solution is to compile Apache with the MULTIPLE_GROUPS preparser directive. While the capability exists, it certainly isn't clearly docmented how to do this in the Apache documentation. But enabling the feature does allow for all sorts of collaberation via groups that aren't normally possible.
To turn it on, do your ./configure, edit the file apache_x.y.z/src/apaci, and append this to the end of the file:
I've written two news group threads on the subject of using MULTIPLE_GROUPS:
•••About •••Articles •••Links •••Search Tips |