# Apache2 suexec for user's cgi-bin directories

## DrWatson

I'm pretty new around here, so do excuse me if this question's already been answered by another (I did a search, but didn't turn up anything obvious).

Anyway, I had reason to set up apache2 with suexec operating in user's cgi-bin directories. If anyone else needs to do likewise, they may find the following two bits of information useful:

To enable suexec in apache, do the following:

In /etc/apache2/conf/apache2.conf, add the following line:

```
LoadModule suexec_module                 modules/mod_suexec.so
```

To enable suexec in user's cgi-bin directories, comment out the following line in /etc/apache2/conf/commonapache2.conf:

```
    ScriptAliasMatch ^/~([^/]*)/cgi-bin/(.*) /home/$1/public_html/cgi-bin/$2
```

(since that one is one of two ways that that config file matches for ~user/cgi-bin requests, - but it's done as a ScriptAlias outside the apache docroot, so it doesn't seem to work right. There's another section for cgi-bin, though, so commenting out this makes it all work.)

There you go  :Mr. Green:  This may not work for everyone, but it's how I got mine to work - thought I'd drop this in a message, in case it helped anyone else.

----------

## ionos

great, that's been of great help. thanks a lot.

----------

## Dalrain

I know this thread is relatively ancient, but I too wish to express my gratitude for your posting this information.  I was so used to the old suexec as a separate sbin program that I never once thought to do this.  It was causing all kinds of problems upgrading for me, but now they're all moot.  Thanks again!  :Very Happy: 

----------

## gour

Hi!

I have some problems running cgi scripts from user directories  :Sad: 

 *DrWatson wrote:*   

> 
> 
> [*]To enable suexec in apache, do the following:
> 
> In /etc/apache2/conf/apache2.conf, add the following line:
> ...

 

I did it.

 *Quote:*   

> 
> 
> [*]To enable suexec in user's cgi-bin directories, comment out the following line in /etc/apache2/conf/commonapache2.conf:
> 
> ```
> ...

 

Did it too.

When I try to access:

```
http://localhost/
```

everything is fine. Here is the output from access_log:

```

127.0.0.1 - - [21/Oct/2003:20:38:17 +0200] "GET / HTTP/1.1" 200 1456 "-" "Mozill

a/5.0 (compatible; Konqueror/3.1; Linux)"

127.0.0.1 - - [21/Oct/2003:20:38:18 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5

.0 (compatible; Konqueror/3.1; Linux)"

```

Trying to access cgi-script: 

```
http://localhost/cgi-bin/darcs
```

also runs OK.

```
127.0.0.1 - - [21/Oct/2003:20:38:24 +0200] "GET /cgi-bin/darcs HTTP/1.1" 200 341

 "-" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux)"

```

However, when I try to access my page in ~/public_html/index.html, I

get the following:

1. access.log 

```
127.0.0.1 - - [21/Oct/2003:20:38:46 +0200] "GET /~gour/ HTTP/1.1" 403 410 "-" "M

ozilla/5.0 (compatible; Konqueror/3.1; Linux)"

```

2. error_log 

```
[Tue Oct 21 20:38:07 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin

/suexec2)

[Tue Oct 21 20:38:07 2003] [notice] Digest: generating secret for digest authent

ication ...

[Tue Oct 21 20:38:07 2003] [notice] Digest: done

[Tue Oct 21 20:38:08 2003] [notice] Apache/2.0.47 (Gentoo/Linux) configured -- r

esuming normal operations

[Tue Oct 21 20:38:46 2003] [error] [client 127.0.0.1] (13)Permission denied: acc

ess to /~gour/ denied
```

What am I doing wrong?

I was not playing for some time with Apache (since 1.3.x), but as far as I remember, everything was workin' smoothly.

Here are suexec permissions:

```
-rws--x---    1 root     apache      10524 2003-10-21 19:20 suexec2
```

Server runs as apache/apache.

Any hint?

Sincerely,

Gour

----------

## garn

can the apache user access /home/gour and /home/gour/public_html ? it needs to

----------

## gour

 *garn wrote:*   

> can the apache user access /home/gour and /home/gour/public_html ? it needs to

 

Yes, there was a problem. I found a long thread on Apache's list - the problem was that my /home/gour was 700   :Embarassed: 

(forgot it's Gentoo default)

By putting it to 755, everything is fine. (I assume 755 is OK for localhost)

Thank you for reply.

Sincerely,

Gour

----------

## DerBien

 *Quote:*   

> By putting it to 755, everything is fine. (I assume 755 is OK for localhost) 

 

*HINT* Try 711, that way the files inside will stay executable while noone can surf the dir.

Cheers

alex

----------

## mmar

 *DrWatson wrote:*   

> thought I'd drop this in a message, in case it helped anyone else.

 

Thanks! This really helped a lot. Taking out the ScriptAliasMatch line was crucial.

----------

