On Thu, 28 Jul 2005, Brian Candler wrote:Also, if you want the wrapper to run a shell, call a script, like one that starts with #!/bin/sh
-Dan
I have a suexec-related question. I'm running (and looking at the source code for) Apache 1.3.33. I am mapping the Host: header to the filesystem path using mod_rewrite and a dbm map, for mass virtual hosting. Since "User" can only be set statically inside a <VirtualHost> container, it looks like I can't use Apache's suexec, so I need something like cgiwrap which runs under the userid of the script file itself. However, this model seems to break down for .shtml pages which contain, say, <!--#exec cmd="foo"--> Firstly, I need "foo" to run under the userid of the .shtml page (or the website owner), not the userid of program "foo". Secondly, shtml users expect their cmd to be run under a shell; however in main/util_script.c, I see that if suexec is active, the shell is not run. if (ap_suexec_enabled ... if (shellcmd) { execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env); } ... but in the non-suexec case: else { if (shellcmd) { execle(SHELL_PATH, SHELL_PATH, "-c", argv0, NULL, env); } So as far as I can tell <!--#exec cmd="echo hello"--> isn't going to work if suexec is active, since in suexec, argv[3]="echo hello". I guess the wrapper could run a shell, but there's no flag telling it to do so. I am considering whether I need to write my own setuid wrapper, and pass the site username in an environment variable: e.g. RewriteMap hostmap dbm:/conf/hostmap RewriteCond ${hostmap:${tolower:%{HTTP_HOST}}} root=(/[^,]+),uid=(\d+) RewriteRule ^(.*\.shtml) %1$1 [E=UID:%2] This seems pretty hairy to me. Or perhaps the wrapper can look at SCRIPT_FILENAME or PATH_TRANSLATED and stat() that file? Anybody have any other suggestions? A third party module which uses a .db or .cdb file to lookup the "Host:" header and set docroot+UID+GID would be acceptable. Otherwise, I guess what I really want is to be able to set [USER=...] in a mod_rewrite rule, but looking at the docs for apache 2.0 and 2.1, I don't think this feature has been added. Regards, Brian Candler. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- "Is Gushi a person or an entity?" "Yes" -Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler, referring to Gushi --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx