Hi, Apache httpd users mailing-list!
As expected, previous problem was almost trivial but very confusing
for the sys.admin newbie I am.
For the record, there was a wrong path on first line of the CGI script
(shebang), which previously was:
#!/usr/bin/bash
#
# suEXEC wrapper for gitolite-shell
#
# Copied from: https://wiki.archlinux.org/index.php/Gitolite
PROJECT_HOME="/home/work/domain.tld/project"
export GIT_PROJECT_ROOT="$PROJECT_HOME/git"
export GITOLITE_HTTP_HOME="$PROJECT_HOME/gitolite"
export GIT_HTTP_EXPORT_ALL=1
exec /usr/share/gitolite3/gitolite-shell
Path "/usr/bin/bash" does simply not exist by default on Debian, and
must be replaced by "/bin/bash".
This error seems to be quite common, as explicitly mentioned on Apache
CGI tutorial:
http://httpd.apache.org/docs/2.2/howto/cgi.html#pathinformation
and on answers as regular tip, e.g on
http://stackoverflow.com/questions/10135302/python-cgi-on-apache-server
http://stackoverflow.com/questions/9937213/cgi-script-not-running-internal-server-error-500-error#answer-9956268
Sorry for the noise caused...
-- Vincent
2015-04-22 16:59 GMT+02:00 Vincent Férotin <vincent.ferotin@xxxxxxxxx>:
> Hi, Apache httpd users mailing-list!
>
> Trying to configure gitolite3 (http://gitolite.com/) with Apache,
> I encountered some problems with suexec
> (http://httpd.apache.org/docs/2.2/suexec.html) that I did not
> understand.
>
> I'm wondering *where* is the problem:
> if it is a simple wrong config (main hypothesis for the noob I am),
> or if there is something fundamental I missed in suexec principles,
> or if problem comes from OS packaging, or so...
> So, if some of you could help me, or simply redirect to the right
> source of documentation or process, I'll be grateful.
> Anyway, thank you for your attention, and please excuse all possible
> misspelled words or stange phrases
> (non english writer here).
>
>
> Problem
> =======
>
> Here's the problem:
>
> I failed to let suexec run gitolite shell wrapper,
> because of rights on either the wrapper file or its parent directory.
> If suexec found the wrapper, rights on parent directory (which differs
> from wrapper's)
> make suexec to fail -- simplified suexec log follows:
>
> [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
> [2015-04-22]: target uid/gid (110/116) mismatch with directory
> (0/0) or program (110/116)
>
> If rights on wrapper's parent directory are set identical to wrapper ones,
> suexec fails to find it -- simplified suexec log follows:
>
> [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
> [2015-04-22]: (2)No such file or directory: exec failed
> (gitolite-suexec-wrapper)
>
>
> Configuration(s)
> ================
>
> I've mainly followed documentation provided by gitolite:
> http://gitolite.com/gitolite/ssh-and-http.html,
> slightly adapted to potentially have one gitolite instance
> (and its configuration and related git repositories) per virtualhost/project.
>
> Full project has its own dedicated directory (e.g.
> /home/work/domain.tld/project),
> subdivised on:
>
> - etc/ # configuration
> - httpd.conf # Apache virtual host configuration for project (see below)
> - git/ # repositories
> - gitolite/ # gitolite's home
> - www/ # web documents
>
> Shell wrapper to gitolite, expected to be executed by suEXEc,
> stands in suEXEc's root, here /var/www
> (see below for suEXEc configuration):
>
> $ ls /var/www # truncated
> gitolite-suexec-wrapper
>
> SuEXEc configuration follows:
>
> $ /usr/lib/apache2/suexec -V
> -D AP_DOC_ROOT="/var/www"
> -D AP_GID_MIN=100
> -D AP_HTTPD_USER="www-data"
> -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
> -D AP_UID_MIN=100
> -D AP_USERDIR_SUFFIX="public_html
>
> Project configuration for Apache is described as:
>
> <VirtualHost *:80>
> ServerAdmin webmaster@localhost
> ServerName project.domain.tld
> DocumentRoot /home/work/domain.tld/project/www
>
> CustomLog /var/log/apache2/project.domain.tld-access.log common
> ErrorLog /var/log/apache2/project.domain.tld-error.log
>
> <Directory /home/work/domain.tld/project/www>
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> ### Authentication ###
> <Location />
> AuthType Digest
> AuthName "project.domain.tld"
> AuthDigestDomain /
> AuthDigestProvider file
> AuthUserFile /home/work/domain.tld/project/etc/.pwdigests
> Require valid-user
> </Location>
>
> SuexecUserGroup git git
> ScriptAlias /git/ /var/www/gitolite-suexec-wrapper/
> </VirtualHost>
>
> Git users is identified by:
>
> $ id git
> uid=110(git) gid=116(git) groupes=116(git)
>
> (For sake of completness, here are the system softwares
> versions infos:
>
> - OS: Debian Wheezy (currently up-to-date)
> - Apache httpd: Apache/2.2.22 )
>
> I'vee tried several small variant, but encounter the same main
> problem, described above.
>
>
> Variant 1
> ---------
>
> In first (default) configuration, SuEXEc root document and
> gitolite shell wrapper have following rights:
>
> $ ls -l /var # truncated
> drwxr-xr-x 3 root root www
> $ ls -l /var/www # truncated
> -rwxr-xr-- 1 git git gitolite-suexec-wrapper
>
> Then, suEXEc succeeds in finding gitolite shell wrapper,
> but due to owners mismatching between wrapper (git/git)
> and its parent dir. /var/www (root/root), it fails with
> previously mentionned logged error:
>
> [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
> [2015-04-22]: target uid/gid (110/116) mismatch with directory
> (0/0) or program (110/116)
>
>
> Variant 2
> ---------
>
> If instead we set (in a second configuration) owners to be identical,
> as is:
>
> $ ls -l /var # truncated
> drwxr-xr-x 3 git git www
> $ ls -l /var/www # truncated
> -rwxr-xr-- 1 git git gitolite-suexec-wrapper
>
> suexec failed with previously mentionned logged error:
>
> [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
> [2015-04-22]: (2)No such file or directory: exec failed
> (gitolite-suexec-wrapper)
>
>
> Variant 3
> ---------
>
> I've also tried to put gitolite shell wrapper in its own dedicated directory,
> as follows:
>
> $ ls -l /var/www
> drwxr-xr-x 2 git git project.domain.tld-suexec
> $ ls -l /var/www/project.domain.tld-suexec
> -rwxr-xr-- 1 git git gitolite-suexec-wrapper
>
> and adapted virtualhost condfiguration with:
>
> <VirtualHost *:80>
> # ... see above for complement...
>
> SuexecUserGroup git git
> ScriptAlias /git/
> /var/www/project.domain.tld-suexec/gitolite-suexec-wrapper/
> </VirtualHost>
>
> As before with variants 1 and 2, if project.domain.tld-suexec has root/root
> as owners, suexec finds the wrapper but fails to execute it.
> And with git/git as owners, it simply doesn't find it.
>
>
> Variant 4
> ---------
>
> Another try following variant 3 was adding explicit CGI handling
> -- script was renamed with a .sh suffix:
>
> $ ls -l /var/www/project.domain.tld-suexec
> -rwxr-xr-- 1 git git gitolite-suexec-wrapper.sh
>
> and project's virtualhost configuration was completed with:
>
> <VirtualHost *:80>
> # ... see above for complement...
>
> <Directory /var/www/project.domain.tld-suexec>
> #AllowOverride None
> Order allow,deny
> Allow from all
> Options ExecCGI
> AddHandler cgi-script .sh
> </Directory>
> SuexecUserGroup git git
> ScriptAlias /git/
> /var/www/project.domain.tld-suexec/gitolite-suexec-wrapper.sh/
> </VirtualHost>
>
> As before with previous variants, if project.domain.tld-suexec has root/root
> as owners, suexec finds the wrapper but fails to execute it.
> And with git/git as owners, it simply did not find it.
>
> ----
>
> Could you please help me?
> I've not easily found (or recognize as it?) any report with this exact situation
> (through google search, Apache mailing list or gitolite's one),
> which let me suspect a misconfiguration or comprehension on my side.
> But i'm not sure this is the case.
>
> Again, thank you for taking time to read all previous lines!
>
> -- Vincent
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|