ubuntu-s390x team mailing list archive

Thread
Date

Apache virtual hosts and SuExecUserGroup

To: "ubuntu-s390x@xxxxxxxxxxxxxxxxxxx" <ubuntu-s390x@xxxxxxxxxxxxxxxxxxx>
From: "MacIsaac, Michael (CORP)" <Michael.MacIsaac@xxxxxxx>
Date: Fri, 20 May 2016 16:51:43 +0000
Accept-language: en-US
Thread-index: AdGytKraDswagBg5Sd+9miSHr2l27g==
Thread-topic: Apache virtual hosts and SuExecUserGroup

Hi,

We need an audit trail for Web and RESTful-enabled operations through Apache.  It would seem using virtual hosts and suexec to run each host as a privileged admin will address the requirement. The virtual cgi-bin/ directory is wide open, but the cgi-bin/ops/ directory, where operation scripts are stored, is password-challenged.

I use a script to generate the config file to create a virtual host:

# cat /etc/apache2/sites-enabled/macisaam.conf
Listen 4506
<VirtualHost cdlengubu05.es.ad.adp.com:4506>
  ServerName cdlengubu05.es.ad.adp.com
  DocumentRoot /srv/www/htdocs
  ErrorLog /var/log/apache2/macisaam-error_log
  CustomLog /var/log/apache2/macisaam-access_log combined
  HostnameLookups Off
  UseCanonicalName Off
  ServerSignature On
  SuExecUserGroup macisaam vmlinux
  ScriptAlias /cgi-bin/ /srv/www/vhosts/macisaam/cgi-bin/
  <Directory /srv/www/vhosts/macisaam/cgi-bin>
    AllowOverride None
    Options +ExecCGI -Includes
    Require all granted
  </Directory>
  ScriptAlias /cgi-bin/ops/ /srv/www/vhosts/macisaam/cgi-bin/ops/
  <Directory /srv/www/vhosts/macisaam/cgi-bin/ops>
    AllowOverride None
    Options +ExecCGI -Includes
    AuthType Basic
    AuthName "zoom server operations"
    AuthUserFile /srv/www/cgi-bin/zoompasswd
    Require valid-user
  </Directory>
</VirtualHost>

With the suexec installed, Apache comes up and is listening on port 4506, in this example. I can go to htdocs and get the default index.html file. But if I go to either cgi-bin/ or cgi-bin/ops/ I get a 404.

# ls -latr
total 24
drwxr-xr-x 8 root syslog 4096 May 20 07:26 ../
-rw-r----- 1 root adm    1303 May 20 11:36 access.log
-rw-r--r-- 1 root root      0 May 20 11:52 macisaam-error_log
-rw-r--r-- 1 root root      0 May 20 11:52 macisaam-access_log
drwxr-x--- 2 root adm    4096 May 20 11:54 ./
-rw-r----- 1 root adm    4518 May 20 11:54 error.log
-rw-r--r-- 1 root root    191 May 20 11:55 other_vhosts_access.log
# cat other_vhosts_access.log
cdlengubu05.es.ad.adp.com:80 29.0.214.104 - - [20/May/2016:11:55:20 -0400] "GET /cgi-bin/zoom HTTP/1.1" 404 520 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"

What's curious is that the output is going to other_vhosts_access.log like it is not associating the request on port 4506 with the "macisaam" virtual host.

I run the same code to generate a virtual host on SLES 12 SP1, restart Apache, and cgi-bin/ scripts work fine.

Any help will be appreciated. Thanks.

    -Mike MacIsaac, z/VM and z/Linux engineering, 862-308-5089 (cell)

----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.