On 9/8/05, Andrew Clarke <aclarke@xxxxxxxxxxxxx> wrote: > On Thu, 08 Sep 2005 22:58, Joshua Slive wrote: > > > > Interesting. I haven't looked into it in detail, but I suspect that > > what you are trying to do is not possible with suexec activated. If > > the request is run through mod_userdir, then it must follow the > > user-specific suexec rules. That includes the script living under > > /home/user/public_html and being owned by the user. > > > > So you have two choices: > > > > 1. Don't use suexec. This would be the thing to do unless you really > > need suexec. > > I do not need suexec, so I'll go with this choice, thanks. Since it's a > default SuSE install, it came along for the ride. Up until now I've built my > toy apache's from source, but since there is some merit to using pre-built > bundles, I decided to experience that particular joy. Now I need to delete > suexec - is it just a matter of a config change, or do I need to rebuild from > source? I hope the doco is clear. I'm newish to apache, despite doing UNIX > for more years than I care to mention. Just remove the suid bit from the suexec binary (or rename it) and then restart apache. The suexec docs are not that easy for newbies, but then again, suexec isn't supposed to be used by newbies. I dislike the fact that distributors activate it by default. Suexec can do more harm than good to security if it isn't used intelligently. > > Do you think this needs to be a bug/misfeature report to the Apache teams > then? I don't have enough in-depth knowledge to consider whether > DirectoryIndex needs to use suexec by necessity or convenience, and whether > there's any logical reason why it can't work, or whether it just needs more > code throwing at it. Perhaps the codesters need to be informed? I don't think this is a fixable issue. You can't combine global CGIs with userdir requests. That's part of suexec's security features. What you want is simply to not use suexec for these requests, but making an exception like that could be very dangerous. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|