suexec problems with cgi -- FIXED

[voxxitdesigns]

I have just got done troubleshooting one of my client's accounts, and it seemed that MovableType wouldn't run at all inside of the public_html directory with an .htaccess file attached.

This was fixed by making the public_html directory chown'd to username:username, and the files beneath the same (with .cgi and .pl files as chmod 755)

Can we get this made default in the next revision? It was such a hassle to figure out the problem.

I also think that with this active, users CANNOT look at their site via the http://IP/~username method. Can this be fixed?

Thanks guys, nice work otherwise!

Josh

 

[nobaloney]

We have had a similar problem with Mambo.

I'll bring it to DA staff's attention.

Jeff

 

[DirectAdmin Support]

Hello,

Ok, one solution isn't going to work for everyone (security vs flexibility).

What I'm going to do, is change the default behavior for *new* installs of DA by adding an additional option to new directadmin.conf files. Existing directadmin.conf files for current users will not have the option, so they will be unaffected (if no option, then public_html will still be owned by apache when a domain is created).

http://www.directadmin.com/features.php?id=497

John

 

[Chrysalis]

glad for this change, the cgi problems were a support headache.

 

[ClayRabbit]

John, maybe you can also add 3rd option to set chmod username:apache 710 to "domains/" folder instead of "public_html/" and "private_html/"? Because this is the only right way to enble CGI in public_html without breaking security.
(Yes, I know about anonymous FTP problem, but it's the lesser of two evils.)

PS: But generally, i think this feature request is almost meaningless. DA has great feature - custom scripts, so any admin already can set any desired permissions just after account/domain creation. So I doesn't see any point in bothering DA staff with such _questionable_ and subjective feature requests...

 

[voxxitdesigns]

John, maybe you can also add 3rd option to set chmod username:apache 710 to "domains/" folder instead of "public_html/" and "private_html/"? Because this is the only right way to enble CGI in public_html without breaking security.
(Yes, I know about anonymous FTP problem, but it's the lesser of two evils.)

PS: But generally, i think this feature request is almost meaningless. DA has great feature - custom scripts, so any admin already can set any desired permissions just after account/domain creation. So I doesn't see any point in bothering DA staff with such _questionable_ and subjective feature requests...

Why questionable? It should be an automatic feature - not one that an admin should have to go in and add for each client that wants to sign up and use MovableType (or any other perl script for that matter).

 

[ClayRabbit]

Why questionable?

I consider so, just because your solution causes security flaw.

 

[voxxitdesigns]

I'm curious. Which security flaw does this uncover?

Thanks,
Josh

 

[ClayRabbit]

If you doesn't have a directory with permissions user:apache 750 (or 710) somewhere on your path to DocumentRoot then any user is able to read your files (if they has world-read permissions). With his CGI-script, for example.
(When running php-scrips under mod_php you need to set world-read permissions on PHP-files.)