[BlueOnyx:21143] Re: Perl script executing as apache instead of user

Michael Stauber mstauber at blueonyx.it
Mon Jun 26 12:44:07 -05 2017 

Hi Chris,

> I'm no Perl expert.  Is there something we should be looking at that
> would have this script (in his web/cgi-bin directory) execute as the
> vsite user rather than Apache?

There is no easy answer to this other than: At this time on 5209R we do
have no way of executing Perl scripts under other UID/GIDs than "apache".

On Apache 2.0 (5106R) and Apache 2.2 (5x07R/5x08R) we use CGIWrap in
order to run Perl scripts with the UID/GID of the Vsite. Until now I
have been unable to get CGIWrap (even the latest 4.1) running on 5209R.

Well, there is also "SUEXEC", a method for exactly this which is built
in into Apache 2.4. According to the Apache docs something like this
inside a VirtualHost container should suffice:

SuexecUserGroup s1_admin site1

But it doesn't, even if SUEXEC is on - which it is by default:

[root at 5209r web]# grep suexec /var/log/httpd/error_log
[Mon Jun 26 11:53:46.584880 2017] [suexec:notice] [pid 22883] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

We just get a generic error message then for *any* Perl script, even if
it worked before w/o SuexecUserGroup defined:

[cgi:error] [pid 29815] [client XXXX:45100] End of script output before
headers: test.pl

The reason being this:

[root at 5209r web]# suexec -V
 -D AP_DOC_ROOT="/var/www"  <--- This one!
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_SYSLOG
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=500
 -D AP_USERDIR_SUFFIX="public_html"

The "suexec" binary on CentOS 7 has been compiled with a hard-coded
Apache DocumentRoot of /var/www/ and our Perl scripts reside with the
rest of the Vsites under /home/sites instead.

Hence we're not allowed to use anything "suexec" related. And "suexec"
is part of the "httpd" RPM, so this would mean recompiling Apache and
providing it out of the BlueOnyx YUM repos.

Where to go from here?
=======================

apache2-suexec-custom: Debian and Ubuntu have the same problem and solve
this by providing an alternative suexec mechanism called
"apache2-suexec-custom". I haven't been able yet to port this to CentOS
7 and am still looking into it.

CGIWrap: I haven't given up on this yet, but as of now I haven't yet
managed to get it working.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list