Apache Vhosts and suEXEC

I'm running apache 1.3.20 and have tried configuring suEXEC for my virtual hosts.

My compile options for suEXEC are:

--enable-suexec \
--suexec-caller=apache \
--suexec-userdir=webroot \
--suexec-docroot=/usr/local/www/ \
--suexec-logfile=/usr/local/www/logs/suexec_log.txt \
--suexec-uidmin=99 \
--suexec-gidmin=99 \
--suexec-safepath="/usr/local/bin:/usr/bin:/bin

The default host is in /usr/local/www/webroot/, and cgi works fine there.

Now, I add a virtualhost to apache config file, and he is a real unix user with the name jim, with his home directory in /home/jim.

(Virtualhost *)
User jim
Group jim
DocumentRoot /home/jim/webroot
ServerName jim (just for the post)
ServerAdmin jim
ErrorLog /home/jim/logs/error_log.txt
TransferLog /home/jim/logs/access_log.txt
(Directory /home/jim)
Options ExecCGI Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
(/Directory)
(/Virtualhost)

That should work shouldn't it? I have --suexec-userdir=webroot which means that it is save to execute CGI's in the user's ~/webroot/ correct? It doesn't though, I get and error, check the suexec log and it gives me:
[2001-07-18 22:58:35]: error: command not in docroot (/home/jim/webroot/test.cgi)
[2001-07-18 23:02:10]: info: (target/actual) uid: (jim/jim) gid: (jim/jim) cmd: test.cgi


Why is it looking at the suexec-docroot, shouldn't it be checking userdir?

I have to be overlooking something simple, any help would be greatly appreciated.

>> have tried configuring suEXEC for my virtual hosts

It's very bad and insecure if you enable suEXEC for just your vhosts and not your defaut server.

>> I have --suexec-userdir=webroot which means that it is save to execute CGI's in the user's
~/webroot/ correct?

Yes with the appropriate permission. However, userdir mechanism is built in (so long as you specified which name to use during compilation), you don't need to specify which User or Group at all. That said, you don't need to put within <VirtualHost>.

>> Why is it looking at the suexec-docroot, shouldn't it be checking userdir?

Because it sees DocumentRoot so it doesn't aware it was for a userdir environment.

Note, in suEXEC environment for userdir, the suexec wrapper will handle the job for determining the user and group based on the file owner and group as well as the directory. In addition, it will lookup /etc/passwd file to determine whether the $HOME for jim is really /home/jim, then append the subdir webroot under jim's $HOME to match against.

I dropped the User and Group in my vhosts and it works fine now.


THANKS, so then what would be the purpose of using User and Group in my vhost specifications?

- Thanks

>> so then what would be the purpose of using User and Group in my vhost specifications?

First of all, userdir is just too dynamic. You can have Apache running while adding a new user, with the appropriate permission, this new user is ready to test CGI script without restarting Apache.
As you can tell from this, there is no need to specify which user+group the new user belongs to. Say you have 1 million users, it just doesn't make sense to put all the user+group for each userdir. As I mentioned previously, for userdir environment, suEXEC wrapper will lookup /etc/passwd when it's told.

Say you changed jim's $HOME to /opt/web/jim, then /opt/web/jim/webroot still will work under suEXEC environment. That is, without restarting Apache. However, the <Directory /opt/web/*/webroot> should be added.

For vhost, the user+pass must exist before starting Apache because Apache will lookup /etc/passwd and check for the existence of the user+group. In this case, Apache doesn't look for the $HOME directory for the user. In fact, this user doesn't require to have a $HOME directory at all.