LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (http://www.linuxquestions.org/questions/red-hat-31/)
-   -   Apache suEXEC recompile for new config options (http://www.linuxquestions.org/questions/red-hat-31/apache-suexec-recompile-for-new-config-options-720210/)

Thom_Redhat 04-19-2009 11:07 AM

Apache suEXEC recompile for new config options
 
Hi,

Im using Centos 5.3 with Apache 2.2.3 & by default suEXEC is enabled but the default options don't meet what i'm trying todo so I want to change them. After research it seems for security reasons the config options are compiled in. So to change them I have to recompile Apache.

How do I go about this? I tried downloading the SRPM & extracting the contents then adjusting spec file with different suEXEC command line options. But I was unable to put the SRPM back together succesfully using the extracted contents but just with an adjusted spec file.

Could someone please clarify the steps involved in what I want todo.

knudfl 04-19-2009 12:46 PM

You can just install the 'src.rpm' with # rpm -Uvh <src.rpm>

And it will be "installed", packed out to /usr/src/...

Keep the new spec file in your /home and point to it with

# rpmbuild -bb httpd.spec , then that is the one, being used.
.....

Thom_Redhat 04-19-2009 03:46 PM

Hi,

Thanks for your help. :)

I'm struggling what to change my "with-suexec-userdir" directive to. It seems this directive needs tobe set to a universal folder name where the public html files need to reside but my setup doesn't have this. Can I set this to an all alias? My apache vhost system is setup as follows:

/websites/client1000/
"I then have a subfolder for each vhost domain this client has."
joebloggs.org/<website files here>
joebloggs.com/<website files here>

/websites/client1001/
"I then have a subfolder for each vhost domain this client has."
fred.org/<website files here>
fred.com/<website files here>

What do you recommend?

damanseb 04-21-2009 08:55 AM

"with-suexec-userdir" makes apache check the /home/directories for a folder called "public_html".
So users on the system can have their html pages served under their own username from http://localhost/~user/
This setup is more of a convenience to local users but is not as flexible as vhosts.

If you are running from vhosts the above mentioned parameters are not so relevant.

Example output:
# suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX="public_html"

For vhosts set AP_DOC_ROOT to "/websites/"

suexec checks if the vhost directory is underneith "AP_DOC_ROOT".
suexec checks if the vhost user/group matches ownership of the files in directory.
suexec checks if vhost user/group is not root or < 500/100

Thom_Redhat 04-27-2009 10:35 AM

Hi,

I'm only using this for VHOSTs and so userdirs are not required. So i've kept that as the default "public_html". Leaving it as the default does this cause any security issues or would it cause any issues for my customers in the future?

-D AP_DOC_ROOT="/websites"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

All my VHOST clients will be configured with doc roots of:

/websties/$username/$domain_name etc.


All times are GMT -5. The time now is 02:12 AM.