>Number: 3871
>Category: suexec
>Synopsis: suExec should be able to be turned on/off on a per directory
>basis
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: change-request
>Submitter-Id: apache
>Arrival-Date: Wed Feb 10 10:20:01 PST 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.3
>Environment:
Solaris 2.6, Patch 105181-11
Multi-user system
Apache compiled with gcc 2.7.2.2
>Description:
We need to do various things with suexec. Unfortunately, I have just discovered
that it is turned ON for everything, and that there is no way to turn it OFF
on a per-directory basis. Since we allow user-CGI scripts on this server (needed
for CS class projects), having all scripts be SUID is a *bad* idea, even if the
user scripts are only accessible via a small handful of Rutgers subnets. The
solution for right now is remove the suexec binary from the apache directory.
There should be a way to either turn it off per-dirctory, or explicitly have
to turn it ON per-directory. eg.
Options Indexes ExecCGI (No)suExec
Also, the Question #14 in the FAQ ("Premature End of Script Headers") should
show that the message can be generated by suexec not running a CGI script. We
kept getting this error, but I couldn't figure out why, since it worked for
ScriptAlias but not user-CGIs. Turns out that suexec was failing with this
error:
[1999-02-10 11:38:37]: uid: (jlizzi/jlizzi) gid: (users/users) cmd: test.cgi
[1999-02-10 11:38:37]: cannot get docroot information (/ug/u2/jlizzi)
If suexec had been mentioned in the FAQ question as a possible cause, it would
have saved me a *lot* of aggravation.
>How-To-Repeat:
>Fix:
1) Add a (No)suexec option to turn suexec off/on on a per-directory basis
2) Fix FAQ question #14 to mention suexec failing to execute the CGI script
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]
