mod_suexec questions

S

saiman

Hello,
I'm trying to setup/test mod_suexec with mod_fcgid on apache22. I've got one virtual host - test.site with this configuration:

Code: 
<VirtualHost *:80>
    ServerAdmin webmaster@test.site
    DocumentRoot "/var/www/vhosts/test.site/httpd"
    ServerName test.site
    ServerAlias www.test.site

    SuexecUserGroup www-test www-test

    <Directory "/var/www/vhosts/test.site/httpd">
        AddHandler fcgid-script .php
        FCGIWrapper /var/www/vhosts/test.site/cgi-bin/php.fcgi .php 

        Options Indexes FollowSymLinks ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

</VirtualHost>

The user www-test has /var/www/vhosts/test.site for home directory. This is the directory structure:

Code: 
drwxr-xr-x  4 www-test  www-test  512 Jun 16 21:47 test.site
    drwxr-xr-x  2 www-test  www-test  512 Jun 17 14:21 cgi-bin
        -rwxr-x---  1 www-test  www-test  130 Jun 17 14:21 php.fcgi

    drwxr-xr-x  3 www-test  www-test  512 Jun 17 14:38 httpd
        -rwxr-x---  1 www-test  www-test   58 Jun 17 14:44 index.php
        -rwxr-x---  1 www-test  www-test  2145094 Oct 23  2001 img.jpg


I noticed that when I change the privileges on test.site to 750 - error 403 is returned (forbidden). It's the same with httpd directory and cgi-bin directory. So the only way to run something inside httpd is to change the dirs permissions up to the file to 750? Is that the normal behavior? I'm wondering because for example, if I have a word press inside httpd I have to change a bunch of more directories to get word press working.
And finally I found that if the permissions on img.jpg are not set 755 it's forbidden too. Probably because it's accessed from www user, not from www-test - it's just an image and the fcgid it's not used in this case?
 
Before using suEXEC, you need to get a good understanding of what it checks.

http://httpd.apache.org/docs/2.1/suexec.html#model

If all sounds okay for you, you've a suEXEC log in /var/log/httpd-suexec.log (suexec -V should give you the emplacement).

Of coruse, before suEXEC is called, Apache must access the file, ie if you don't have an entry in suEXEC log, it's an Apache problem, read regular vhost's error.log
 
saiman, if you give suexec to a script - do not give same owner/rights to files/dirs -- a bug in script can give complete freedom to hacker, cus he can modify scripts itself or create new scripts
 
You must log in or register to reply here.
Back
Top