I've returned today to working on getting the web portal running on deleuze, and I've hit another snag early on. By default, the Apache suexec program has its suexec root set to /var/www, which means that it won't accept suexec execution of CGI programs outside that directory, unless they are accessed via http://host/~user/.... Our general policy has been that users be given no way to run programs as other users, including any generic web server users like www-data. This means that we need suexec if we're going to provide standard CGI services.
On fyodor, we have a suexec binary that I compiled manually with a broader suexec root that contains all user home directories. This is a pretty small program, and the only change needed is to a string macro definition in one place. That means that, especially sticking with Debian stable and its infrequent updates, it is quite reasonable to compile a new suexec every time the underlying package source version increases. So, what do y'all think? Should we take the same route on deleuze and mire? Going by the task assignments, I think this falls under mwolson's purview, but anyone's input is valuable. I'm blocked on this ATM, wanting to test the portal, which should run as a different user. If necessary, we could stick to a suexec-free Apache set-up on deleuze, since only admins will be able to configure it. That would unblock me, but would leave the problem to be solved for mire. Any thoughts on this decision? There's also the issue of how we're going to handle AFS ticket grabbing for CGI and PHP programs run by Apache. Suggestions welcome, though my understanding is that mwolson is in charge of this now and looking into it. _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
