[gentoo-user] no suEXEC logging on errors

[gentoo-user] no suEXEC logging on errors

[reader]

I'm getting suexec errors in apache error_log.  According to all
documentation on the subject .. suexec is supposed to log to:
       /var/log/apache2/suexec_log

and `suexec2 -V' shows that as well
   -D AP_LOG_EXEC="/var/log/apache2/suexec_log"

Still no log...

What do I have to do to get some usable info about what is happening
with suexec?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] no suEXEC logging on errors

[Bertram Scharpf]

Hi,

Am Mittwoch, 07. Jun 2006, 06:29:26 -0500 schrieb reader@newsguy.com:
> I'm getting suexec errors in apache error_log.  According to all
> documentation on the subject .. suexec is supposed to log to:
>        /var/log/apache2/suexec_log
> 
> and `suexec2 -V' shows that as well
>    -D AP_LOG_EXEC="/var/log/apache2/suexec_log"

I experienced problems with suexec myself, too. In the end,
I decided to compile it with the "no-suexec" USE flag ...

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: no suEXEC logging on errors

[reader]

Bertram Scharpf <lists@bertram-scharpf.de> writes:

> Hi,
>
> Am Mittwoch, 07. Jun 2006, 06:29:26 -0500 schrieb reader@newsguy.com:
>> I'm getting suexec errors in apache error_log.  According to all
>> documentation on the subject .. suexec is supposed to log to:
>>        /var/log/apache2/suexec_log
>> 
>> and `suexec2 -V' shows that as well
>>    -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
>
> I experienced problems with suexec myself, too. In the end,
> I decided to compile it with the "no-suexec" USE flag ...

I'm not sure what this has to do with getting suexec working.  Do you
just mean you gave up or what?

I solved my problem by changing permissions on /usr/sbin/suexec2 to
from:
  -rws--x---  1 root root 10880 May 31 15:09 /usr/sbin/suexec2
  -rws--x--x  1 root root 10880 May 31 15:09 /usr/sbin/suexec2

That may not be the best way to do it.  Hopefully someone who has more
experience will comment about it.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: no suEXEC logging on errors

[Jason A. Booth]

[-- Attachment #1: Type: text/plain, Size: 1465 bytes --]

On Wednesday 07 June 2006 16:31, reader@newsguy.com wrote:
> Bertram Scharpf <lists@bertram-scharpf.de> writes:
> > Hi,
> >
> > Am Mittwoch, 07. Jun 2006, 06:29:26 -0500 schrieb reader@newsguy.com:
> >> I'm getting suexec errors in apache error_log.  According to all
> >> documentation on the subject .. suexec is supposed to log to:
> >>        /var/log/apache2/suexec_log
> >>
> >> and `suexec2 -V' shows that as well
> >>    -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
> >
> > I experienced problems with suexec myself, too. In the end,
> > I decided to compile it with the "no-suexec" USE flag ...
>
> I'm not sure what this has to do with getting suexec working.  Do you
> just mean you gave up or what?
>
> I solved my problem by changing permissions on /usr/sbin/suexec2 to
> from:
>   -rws--x---  1 root root 10880 May 31 15:09 /usr/sbin/suexec2
>   -rws--x--x  1 root root 10880 May 31 15:09 /usr/sbin/suexec2

I have never used suexec, but I would think it better to
chown root:apache  /usr/sbin/suexec2
or whatever group needs it as apposed to making it world executable

>
> That may not be the best way to do it.  Hopefully someone who has more
> experience will comment about it.

-- 
------------------------------------------------------------------
Jason A. Booth 
PGP public key(85D1F7FC):
http://hyperintelligent.net/~jbooth/jbooth_key.asc
------------------------------------------------------------------

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

[gentoo-user] Re: no suEXEC logging on errors

[reader]

"Jason A. Booth" <jbooth@hyperintelligent.net> writes:

> I have never used suexec, but I would think it better to
> chown root:apache  /usr/sbin/suexec2
> or whatever group needs it as apposed to making it world executable

I thought it might be a nasty security problem too and asked about it
on the apache list.  An experienced poster there told me it made very
little if any difference which way you went since the users who can use
suexec are compiled in at build time.

Having it world executable still wouldn't allow some nefarous intruder
to run it.  But I still felt more comfortable with `root apache' and
have since set it that way.

A few people have mentioned not having used Suexec making me wonder if
there is some other way to allow myuser to run cgi?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: no suEXEC logging on errors

[Justin R Findlay]

On Thu, Jun 08, 2006 at 01:51:09AM -0500, reader@newsguy.com wrote:
> 
> A few people have mentioned not having used Suexec making me wonder if
> there is some other way to allow myuser to run cgi?

I usually run apache as apache:web with the user creating the web stuff
in the web group.


Justin
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: no suEXEC logging on errors

[reader]

Justin R Findlay <justin@jfindlay.us> writes:

> On Thu, Jun 08, 2006 at 01:51:09AM -0500, reader@newsguy.com wrote:
>> 
>> A few people have mentioned not having used Suexec making me wonder if
>> there is some other way to allow myuser to run cgi?
>
> I usually run apache as apache:web with the user creating the web stuff
> in the web group.

I'm not sure of your meaning here.  So that gets around needing suexec
to fire cgi programs under /home/myuser/public_html?

I just tried that or at least tried to.  created group web added
apache and myuser.

renamed /usr/sbin/suexec2/usr/sbin/suexec2X 

Put the stock httpd.conf in place after setting group to web, and
restarted apache.  User myuser running firefox can not fire a cgi in
public_html they just display in the browser as a text file would.

Ditto in /var/www/localhost/htdocs/

Can you clarify what you did?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: no suEXEC logging on errors

[Hans-Werner Hilse]

Hi,

On Thu, 08 Jun 2006 03:37:01 -0500 reader@newsguy.com wrote:
> Justin R Findlay <justin@jfindlay.us> writes:
> > On Thu, Jun 08, 2006 at 01:51:09AM -0500, reader@newsguy.com wrote:
> >> 
> >> A few people have mentioned not having used Suexec making me
> >> wonder if there is some other way to allow myuser to run cgi?
> >
> > I usually run apache as apache:web with the user creating the web
> > stuff in the web group.
> 
> I'm not sure of your meaning here.  So that gets around needing suexec
> to fire cgi programs under /home/myuser/public_html?

For that, there's not even need to put the user in the web group. Just
make the files the web server should present world readable (CGI: and
world executable). Suexec runs the scripts with a user account. That
approach is needed in order to keep (multiple) users on the machine
from peeking and poking at each others scripts and data storages. If
there's just one user on that machine or security from each other is
not an issue, suexec is not needed.

What you're experiencing seems to be just a missing ScriptAlias. RTFM
about calling CGIs...

-hwh
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: no suEXEC logging on errors

[reader]

Hans-Werner Hilse <hilse@web.de> writes:

> What you're experiencing seems to be just a missing ScriptAlias. RTFM
> about calling CGIs...

This is a single user machine so security from users is only a problem
from me blundering around... That was why I wanted to keep
experimentation at $public_html and a working server for home lan at
www/localhost/htdocs.

What I've found is that if I set ScriptAlias to
/var/www/localhost/cgi-bin/ then it all works there but not at:
USER/public_html.  There a cgi is just displayed like a file.

If I do not define ScriptAlias at all then cgi works under
$public_html but cgi under $htdocs is just displayed as a file.

I want to be able to fire cgi anywhere under $htdocs or $public_html.

How can I do that...? I don't care about suexec if I don't need it.
Just another layer of confusion.  But if it requires special file
permissions root privs in one or the other area then suexec seems
easier.

RTFM... yes over and over but not really catching on.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: no suEXEC logging on errors

[Hans-Werner Hilse]

Hi,

On Thu, 08 Jun 2006 13:32:17 -0500
reader@newsguy.com wrote:

> Hans-Werner Hilse <hilse@web.de> writes:
> 
> > What you're experiencing seems to be just a missing ScriptAlias. RTFM
> > about calling CGIs...
> 
> What I've found is that if I set ScriptAlias to
> /var/www/localhost/cgi-bin/ then it all works there but not at:
> USER/public_html.  There a cgi is just displayed like a file.
> 
> If I do not define ScriptAlias at all then cgi works under
> $public_html but cgi under $htdocs is just displayed as a file.

Sorry, my fault. A ScriptAlias alone isn't likely to work, if I read
this correctly:
http://httpd.apache.org/docs/2.0/howto/cgi.html
Read starting at "CGI outside of ScriptAlias directories", it
explicitly mentions the UserDir setting. And there are docs linked for
using .htaccess files for configuring this.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: no suEXEC logging on errors

[Bertram Scharpf]

Hi,

Am Mittwoch, 07. Jun 2006, 18:31:46 -0500 schrieb reader@newsguy.com:
> Bertram Scharpf <lists@bertram-scharpf.de> writes:
> 
> > Am Mittwoch, 07. Jun 2006, 06:29:26 -0500 schrieb reader@newsguy.com:
> >> I'm getting suexec errors in apache error_log.  According to all
> >> documentation on the subject .. suexec is supposed to log to:
> >>        /var/log/apache2/suexec_log
> >> 
> >> and `suexec2 -V' shows that as well
> >>    -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
> >
> > I experienced problems with suexec myself, too. In the end,
> > I decided to compile it with the "no-suexec" USE flag ...
> 
> I'm not sure what this has to do with getting suexec working.  Do you
> just mean you gave up or what?

Yes, sorry, I gave up. Today I happend to retry it and I'm
happy to discover: it works.

Not actually a very useful contribution, I admit.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: no suEXEC logging on errors

[danny]

OK, I assume we are talking about Apache web server here. If that's the
case I would suppose you are missing the following in your "httpd.conf":
-----
<Directory /home/*/public_html/cgi-bin/>
Options ExecCGI
SetHandler cgi-script
</Directory>
-----
The whole documentation about "mod_userdir" which enables "per-user web
directories: can be found at:
http://httpd.apache.org/docs/2.0/howto/public_html.html#page-header



-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: no suEXEC logging on errors

[reader]

danny@ilievnet.com writes:

> OK, I assume we are talking about Apache web server here. If that's the
> case I would suppose you are missing the following in your "httpd.conf":
> -----
> <Directory /home/*/public_html/cgi-bin/>
> Options ExecCGI
> SetHandler cgi-script
> </Directory>

Thanks, I seem to have gotten that functionality some other way
because currently cgi works anywhere under $public_html.

My setting is quite a bit different:

    <Directory /home/*/public_html>
        AllowOverride All
        Options MultiViews Indexes SymLinksIfOwnerMatch Includes ExecCGI
    </Directory>

Yet cgi is recognized and executed anywhere under: Directory
/home/*/public_html/

Something that is really puzzling here is that with a default
non-inclusive statement like this over '/':

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

I can still execute all cgi under Directory /home/*/public_html and
any subdirectories.

However I appears I have to explicitly set execCGI for any sub
directories under $htdocs

I have these in place but pretty sure they are not very pretty:

<Directory /var/www/localhost/htdocs/>
    Options All MultiViews Indexes FollowSymLinks Includes ExecCGI
    AddHandler cgi-script .cgi 
    AllowOverride All
</Directory>
<Directory /var/www/localhost/htdocs/exp>
    Options All MultiViews Indexes FollowSymLinks Includes ExecCGI
    AddHandler cgi-script .cgi 
    AllowOverride All
</Directory>

I could not execute cgi at /var/www/localhost/htdocs/exp without an
explicit Directory statment.

If I were to hit a cgi at /var/www/localhost/htdocs/othersub
It will not fire but display like file and error log message from
apache2 saying I don't have execCGI in that directory.

That is, execCGI is recursive under $public_html but only goes one
directory at a time under $htdocs (/var/www/localhost/htdocs)

I'm pretty sure this is the reason:

ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/

But without that apache doesn't now about /cgi-bin/ 

Maybe the ScriptAlias should be set inside the Directory statement of 
/var/www/localhost?  Is that even a possible way to do things? 

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: no suEXEC logging on errors

[reader]

Hans-Werner Hilse <hilse@web.de> writes:

Harry wrote:
>> If I do not define ScriptAlias at all then cgi works under
>> $public_html but cgi under $htdocs is just displayed as a file.

Hans-Werner answered:
> Sorry, my fault. A ScriptAlias alone isn't likely to work, if I read
> this correctly:
> http://httpd.apache.org/docs/2.0/howto/cgi.html
> Read starting at "CGI outside of ScriptAlias directories", it
> explicitly mentions the UserDir setting. And there are docs linked for
> using .htaccess files for configuring this.

A carefull reading of that cgi documentaion doesn't really deal with
what happens once you've set a ScriptAlias to /cgi-bin/

What I'm seeing is that once tha that happens any directory under 
DocumentRoot has to have explicit Options ExecCGI  it is not
recursive.

However, it is recursive at $public_html even though ScriptAlias is
set to localhost/cgi-bin/... I don't quite understand why it works
like that I guess.  Although I can live with having to edit httpd.conf
anytime I add a directory under DocumentRoot that might need ExecCGI
it just appears inconsisitent.

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: no suEXEC logging on errors

[reader]

Bertram Scharpf <lists@bertram-scharpf.de> writes:
>
> Yes, sorry, I gave up. Today I happend to retry it and I'm
> happy to discover: it works.
Well no harm done...
Now you get to ponder why... hehe.

-- 
gentoo-user@gentoo.org mailing list