On Tue, Sep 24, 2002 at 11:39:22PM -0700, Justin Erenkrantz wrote: > Is it possible to use SuexecUserGroup in combination with a vhost > that isn't served out of the default htdocs dir on a per-vhost level? > This is a rhetorical question as modules/generators/mod_suexec.c:110 > forbids this.
It's possible, it's all down to what you set suexec-docroot to. If you set it to / then everything is good. I set mine to the same as my prefix, and drop all of my vhosts in a $prefix/vhosts/ directory, which keeps them away from htdocs. So you don't need to heep suexec'd vhosts in the same place as your DocumentRoot. > The intention is to have multiple vhosts which each have their own > user associated with them with independent docroots > (~user/public_html). So when a CGI page goes to that vhost, the > CGIs would be executed as the associated user. Doing that, you'd have to give each one an explicit SuexecUserGroup directive and change the suexec-docroot to /home or / , depending on where else you'd like vhosts to live aswell. > Hmm, why does this eerily sound like the perchild MPM (what little I > know of it)? But, it seems that suexec could easily handle this > case too with a little bit of tweaking. So, my question is why > do we set cfg->ugid.userdir = 0 when it could be useful to set it > to 1? Could we add a directive (SuexecUseUserDoc) for this case? If userdir was enabled, it wouldnt work, since you would have to prepend the tilde to the uid. How would you decide which user to accociate with an arbitrary directory ? Multiple uid's could point to it as being in $home, going with ownership kills one of the points of using directives like this (so that CGI no longer have write perms on what it's reading). I think a way to go about solving the problem would be to modify suexec (not the module) to work when PWD is in $home for the target uid even without a tilde. Tied in with all of this there's still the larger problem of how mod_suexec should handle the SuexecUserGroup directive when userdir and an explicit directive are both there. In you're examples it could get very confusing. Comments in PR 9038 describe the problem in detail. > For now, mod_rewrite has been jury-rigged to rewrite the CGI requests > so that these request end up as vhost/~user/ so the mod_userdir rule > hits. But, that's clunky. -- justin That it is :( Though, I'm running over 300 of these on my server and it's working out quiet well, some of them are reverse proxies, some not so, but yes it is clunky. -- [EMAIL PROTECTED] PubKey: [EMAIL PROTECTED] Web: http://devnull.redbrick.dcu.ie/
