Hello all! I am trying to work out what the best method is to achieve CGI scripts being executed by the UID of the user who owns the script rather than have all scripts acessable from the main apache user. This solution is to host many hundreds of customers, and I want to use mod_rewrite and maps to do mass hosting WITHOUT hundreds of VirtualHosts in the apache config. Now, I already have a platform created which uses mod_rewrite in this way, but all scripts are run by the apache user, and naturally it means users need insecure directory permissions if they want the apache process to write files, leaving security a lot to be desired - hence the need to have a similar platform, but the scripts, directories etc are all owned by the individual users. I have been researching for days, and have no working solution - mod_suexec seems not to allow me to do what I want as it relies on certain directives within individual VirtualHosts. Next I looked at cgiwrap, but I don't seem to be able to get it to do what I want; the documentation isn't particularly clear for me in how it actually works - but it seems I need to have a central location for scripts for it to work (or at least all user script directories under one central cgiwrap directory), which may or may not be useful to me if I could understand it a little better. Here is my situation: All users have a domain cgi.username.mydomain All users have their directories under a tree of home directories e.g. /files/home1/fred /files/home2/gurt /files/home3/mons /files/home1/paulw under which, each has a cgi-bin directory for their scripts (static content is allowed in the top level of each user's directory) etc A username -> directory map exists for the rewrite engine to map to the correct place on the filesystem My experience of cgiwrap has resulted in wierd errors when using a single virtualhost as a test (cannot find user cgi-bin in passwd file) - which I think is as a result of me not clearly understanding how it expects me to use the program, or in the case of using a rewrite engine, nothing happens at all - cgi scripts are getting executed by the apache user as before - again, this is possibly down to not having a 100% firm grasp of how it expects me to run. Can anyone suggest the best method to achieve the kind of setup I am describing above - are there other alternatives to cgiwrap for general CGI execution (I am aware su_php may help me on the php specific angle of hosting)? If cgiwrap is the best way forward, can anyone help me figure out exactly how to use cgiwrap to achieve what I need, or if that isn't workable, to suggest how to re-arrange what I need to be more cgi-wrap complient? I appreciate your efforts in wading through this post :-) If you need any more info, just yell - in the mean time, I'm going to keep prodding away with CGI wrap trying to figure out exactly what it expects. Im case it helps, I am using Apache 2.0.53, and cgi-wrap 3.9 with the following build options: ./configure --with-perl=/usr/bin/perl --with-local-doc-url=/usr/doc/cgi --with-install-dir=/local/apache/cgi-bin/ --with-httpd-user=nobody --with-minimum-uid=100 --with-minimum-gid=100 --with-logging-file=/local/apache/logs/cgiwrap.log --with-setenv-path=/bin:/usr/bin:/usr/local/bin -with-rlimit-cpu=120 --with-rlimit-fsize=536870912 --with-allow-file=/local/apache/conf/cgiwrap.allow --with-deny-file=/local/apache/conf/cgiwrap.deny Thanks :) Gary Wilson --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|