System Wide CGI-BIN

BigWil

Verified User
Joined
Aug 5, 2004
Messages
313
Does anybody know how to get the system-wide CGI-BIN to work with the DA setup?

Lets say I want all of the domains to have access to xyz.cgi. I place it in the /var/www/cgi-bin/ directory but none of the virtuals can access it. Suggestions?

Secondly I would like to 4755 it and get Suexec to leave it alone.

Big Wil
 
I found it. There is a system-wide CGI-BIN in the httpd.conf configured as /cgi-sbin/ which simply needed the comment # removed from the ScriptAlias above it. Looked at it for a couple hours before I saw it. I get a dunce cap for that one for sure.

#ScriptAlias /cgi-sbin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-sbin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

Remove the # and away you go. I guess I was looking for something more difficult than it really was.

Big Wil
 
Nice find, Big Wil.

Let us know if it appears to work properly.

Thanks.

Jeff
 
BigWil... Have you succeeded?


Secondly I would like to 4755 it and get Suexec to leave it alone.
The bit I'm having trouble with is in getting Suexec to ignore it. If so please tell me how!
 
Yes it does seem to work fine but only if the script isn't setuid. If the script IS setuid it must have the Suexec exclusion put into place in the fp-patch-suexec file. Few will ever be setuid and it isn't a great practice to be in but if there is an extreme need you can tell Suexec to ignore it with this hack.

Replace this (single line)
&& (strcmp(r->filename, "/usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe"))

WithThis (single line)
&& (strcmp(r->filename, "/usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe")) && (strcmp(r->filename, "/pathtoyourscript/scriptname.xyz"))

Put that string on a single line. What you are seeing above is being linewrapped and not done that way intensionally.

Then patch the util_script.c file
patch -d0 < ./fp-patch-suexec

Give it the path to util_script.c when it asks for it:
./apache_1.3.31/src/main/util_script.c

Now that it is patched. Make it and install it.
cd apache_1.3.31
make && make install

It worked the second time I tried it. Don't know why it didn't work the first time. So don't get discouraged if it didn't seem to work just try it again. Finicky process I guess. Always remember to restart http from the command line by the way.

FreeBSD /usr/local/etc/rc.d/httpd restart

Big Wil
 
Last edited:
I don't understand (could be I'm really stupid - so beware!)

For a CGI app to work within a system-wide CGI_BIN under suexec, what owner and group should the file have?

Surely if it doesn't match the particular owner/group for the virtual host it will be prevented from running by suexec?

So if a file is given the owner:group of one virtual host , it won't work for any other.

How do I get round that?

Any help will be much appreciated.

Mike
 
SETUID SCRIPT: If you use the Suexec hack suexec will ignore it completely. The file would be setuid 4755 and owned by root:wheel. As I said before this shouldn't be done unless it is absolutely necessary. The definition of absolutely necessary is at your own discretion.

STANDARD SCRIPT: 750 and owned by the apache user or even root:wheel it seems but I would highly advise that you use the apache user.

The system wide CGI-SBIN isn't within a specific virtualhost but is rather handled at the root. So if you wanted to put in a hellomike.cgi script and wanted all domains to be able to run it they can.

http://www.xyzvirtualdomain.com/cgi-sbin/hellomike.cgi

Hello Mike! You're the greatest!

If you toss in a sleep 10; command at the bottom of that script and do a ps -aux you will see it is running by the user that owns xyzvirtualdomain.com.

DISCLAIMER HERE - I will not be held responsible and you have been forewarned. As with any script that runs in a sandbox make DARN SURE it isn't able to do anything harmful to your file system or steal information.


Big Wil
 
Thanks for getting back to me.

When I try that i get a 500 error.

suexec_log shows:
[2004-09-09 12:09:18]: error: target uid/gid (519/519) mismatch with directory (48/48) or program (48/48)

519/519 is the virtual host's user's uid/gid, 48/48 is apache.

edit:
If I chown the cgi-bin directory and the test script to match the virtual host user, then the script runs ok. (Test proves cgi-bin is being found and script has no problems) - but it will only run for that particular virtual host.
 
Last edited:
Back
Top