howdy- i'm one of those strange people who doesn't use a "/cgi-bin/" directory on my web sites. however, while installing vqadmin-2.3.2, i discovered that the path "/cgi-bin/vqadmin/vqadmin.cgi" is pretty much hard-coded everywhere i look.
i don't mind "/vqadmin/vqadmin.cgi", but i don't like having to type
"/cgi-bin/" as part of the URL.
therefore, i have written a patch which does the following:
- in cgi.c, causes cgi_init() to store the value of the SCRIPT_NAME
environment variable
- in template.c, causes t_code() to replace the new "%-S" token with this
value
- modified the hard-coded URL's in domain.c and user.c to use this value
- modified the templates to use "%-S" instead of the hard-coded URL's
- fixed a spelling error ("Email Acount %s deleted") in user.c
the patch itself will be found at the bottom of the following page:
http://www.jms1.net/qmail/
i suggest that the patch be reviewed by any interested parties, particularly
the inter7 guys, and if appropriate i request that they be integrated into
the next version of the vqadmin program. if any errors or problems are
found, please post the details to this mailing list.
another suggestion: the final installer script (the one which is executed as
part of "make install-strip" or "make install") assumes that the web
server's anonymous user is "nobody". it also sets the permissions of
"vqadmin.cgi" to only be accessible to userid's which are members of
whatever group id is attached to root in /etc/passwd.
instead, the directions should have the user manually locate the correct
group id from their apache config file:
# grep -i ^group /etc/httpd/conf/httpd
Group apache
and then set the permissions for your "vqadmin.cgi" thusly:
# chown root vqadmin.cgi
# chgrp apache vqadmin.cgi
# chmod 4110 vqadmin.cgi
this way the web server's anonymous user will have permission to run the
program (the "group execute" bit, 0010, is on) and it will still be setuid
root (owned by root, and the "setuid" bit, 4000, is on) but other users on
the machine which are not members of the web server's anonymous group will
not have permission to run it.
i can also see this process (finding the correct group id) being added to
the configure script (and therefore added to the right places in the
Makefile) with the addition of a "--with-httpd-conf=" option. however i'm
not a wizard with configure scripts. every time i try to do anything more
complicated than fix a spelling error i end up totally hosing it...
therefore i'll let somebody else write this into the configure script.
peace.
--
-----------------------------------------------
| John Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/ <[EMAIL PROTECTED]> |
-----------------------------------------------
pgp00000.pgp
Description: signature
