Hi, > suexec2's docroot being set to /var/www means that it is not > possible to have cgi scripts that come from Debian packages (and > thus are located in /usr/lib/cgi-bin as required by Debian policy > and FHS) to be executed under suexec. > > Please consider compiling suexec2 with docroot=/ to remedy this, > and to solve #312252 as well.
Docroot=/ seems like a bad idea from a security point of view. Also, suexec requires the executed script and the directory containing the script to be owned by the target user (and this is an important part of the security model to protect from local vulnerabilities). Since /usr/lib/cgi-bin/* is owned by root, allowing this directory in the docroot does not give you that much. You would also have to use dpkg-statoverride. But if you do that, you can also use dpkg-divert to move the cgi from /usr/lib/cgi-bin to /var/www and have no problems. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
