ScriptAlias and virtual domain

newbies

Verified User
Joined
Jan 11, 2004
Messages
20
Hi all,

I have put a line in the httpd.conf file such as ScriptAlias /mycgi/
"/usr/local/mycgi/cgi-bin/"

However, this only work with the primary server's url not virtual domain.
works --> http://www.primaryserver.com/mycgi/script.pl
not work -->http://www.virtualdomain.com/mycgi/script.pl This will get 500 error saying premature end of script header.

According to Apache, virtualhost will inherit the configuration of primary server. Why it won't work with virtual domain?

Thanks for any clue.
 
Hello,

Check /var/log/httpd/suexec_log. It will tell you whats wrong, either with permissions or paths etc.. (assuming it's finding the script). Chances are, it's complaining about the username.

John
 
Thank you John,

Finally I know the place to find the error log for this type of error.

I load in my browser the script from a virtual url www.virtualdomain.com/mycgi/script.pl and then tail suexec_log
and got this:

[2004-02-05 13:44:12]: info: (target/actual) uid: (myusername/myusername) gid: (myusername/myusername) cmd: awstats.pl
[2004-02-05 13:44:12]: error: target uid/gid (504/504) mismatch with directory (0/0) or program (0/0)

Could you tell me what is wrong and how to fix it?
 
Hello,

error: target uid/gid (504/504) mismatch with directory (0/0) or program (0/0)

Means that the directory is owned by root, but the file is owned by user 504. You'll have to make everything owned by the same user, and run by that user through Apache ("User", "Group")

John
 
Sorry but I am still confused.

all files and directories in /usr/local/mycgi belong to root/root. what "target uid/gid (504/504)" means? How can I get them match?
 
DirectAdmin Support said:
the directory is owned by root,

but the file is owned by user 504.

You'll have to make everything owned by the same user, and run by that user through Apache ("User", "Group")
 
the directory is owned by root,

but the file is owned by user 504.

You'll have to make everything owned by the same user, and run by that user through Apache ("User", "Group")

None of the files in mycgi directory is owned by users except root. I found the 504 is the user id for the virtual domain from which I access the script. that means you can not access this directory from any virtual domain unless it's owned by the virtual domain.

In another example, I installed mailman in /usr/local/mailman, all files in mailman is owned by mailman, similarly, I added ScriptAlias line in http.conf and I can only access scripts in mailman cgi-bin using primary server domain but not any virtual domain (will get 500).

This is strange to me.
 
Last edited:
Hello,

the directory the cgi files are in, the files themselves and the user that is executing them through apache, *all* have to be the same. The use is set in a virtualhost as "User" and "Group" in the httpd.conf files. Depending on how you are accessing them, they'll be run with either User/Group "apache", or if it's access through one of your user's domain's, it will be run with their username for the User/Group setting. This inconsistency might make it tricky of not impossible to do with just an Alias. You might need to make a wildcard alias like a subdomain where it works like mycgi.* (eg mycgi.anydomain.com) and then you can specify one single User/Group setting, and make the mycgi directory and all files in it have the same username/group setting.

John
 
Thank you all for replies.

Finally I understood what is the problem. Suexec enforces that virtual host domain can not access directories other than his home directory. I had a temporary solution for this without disable suexec. Since I own one of the virtual domain and I want it to have the mailman feature, so I remove the user and group directive from my <VirtualHost> container, thus, requests from my virtual domain will be assumed the primary server's user id and group. Now every thing works.

My question is if this will cause any secruity concerns.

....

Oops, removing User and Group in <VirtualHost> caused new problems. Some cgi scripts under my defaul home cgi-bin no longer work and gave write permission error (vitual domain cannot write in his own directory).

Maybe I have to disable Suexec. Is this the best solution?
 
Last edited:
Hello,

That would be up to you if it was the "best" solution. Scripts would be run as apache, so you'd need to make sure that they still have proper write privilegs for all users on the server.
(just rename /usr/sbin/suexec to something else and restart apache)

John
 
You are right, John.

After I disabled Suexec, virtual host can run scirpts outside his home directory, but there is a new problem, because all http request will run as apache or nobody, currently all file in virtual host home directory are owned by virtual host, not by apache.

It seems there is no compromise.
 
Back
Top