Thursday, October 05, 2006

Howto modifiy apache httpd suexec docroot

What if you don't want all of your web documents to be located in /var/www? That isn't too much of a problem with apache. Just point to another directory as the DocumentRoot setting.

But what if you also want CGI scripts to be located somewhere else? This poses a problem. The CGI wrapper that comes with FC5 httpd RPM is configured to only allow CGI scripts in /var/www. To fix this, it is necessary to rebuild the httpd RPM from source after making a couple changes.

To get started, you should be logged into your system via SSH and sitting in your home directory. Do not be logged in as root at this time. Your account needs to be set up to build RPMs from source. Do the following:

% echo "%_topdir /src/rpm" >> ~/.rpmmacros
% mkdir -p ~/src/rpm/
% cd ~/src/rpm
% mkdir BUILD RPMS RPMS/i386 SOURCES SPECS SRPMS

Now, you need to download the latest httpd source RPM (SRPM) from Fedora. For me, I'm using Fedora Core 5 and there have been some updates to the httpd RPM since FC5 came out. So I'll use the latest SRPM version from the Download/Updates section of the site:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/

The latest version at the time of this writing was httpd-2.2.2-1.2.src.rpm. Use wget at the command line to download this file and then install it:

% cd ~
% wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/httpd-2.2.2-1.2.src.rpm
% rpm -ivh ~/httpd-2.2.2-1.2.src.rpm

This will put the source tarball and patches in ~/src/rpm/SOURCES and a specfile (instructions for building) in ~/src/rpm/SPECS. You now need to edit the specfile with a custom release number, altering the suexec docroot, and adding some comments to the changelog:

% vi ~/src/rpm/SPECS/httpd.spec

Change line 10 from:
Release: 1.2

To:
Release: 1.3

Change line 194 from:
--with-suexec-docroot=%{contentdir}
To:
--with-suexec-docroot=/home
Change line 484 to:
%changelog
* Thu Oct 05 2006 Your Name <you@yours> 2.2.2-1.3
- Rebuilt with suexec-docroot set to /home instead of %{contentdir}

Next, you will rebuild httpd, creating both a binary RPM and a source SRPM:

% rpmbuild -ba ~/src/rpm/SPECS/httpd.spec

You may have to install some additional packages to satisfy build dependencies here. You'll need to be root to do this or use sudo. Just use yum for it will be easiest. When it's done, you'll have binary packages in ~/src/rpm/RPMS/i386/, and a new source package with your modified specfile in ~/src/rpm/SRPMS/.

You can now either upgrade to the httpd you just compiled... To install, do the following. Make sure to include httpd-devel if you are going to build custom apache modules such as Tomcat mod_jk or Caucho mod_caucho. You will need /usr/sbin/apxs that is included in it.

% cd ~/src/rpm/RPMS/i386
% sudo rpm -Fvh httpd-2.2.2-1.3.i386.rpm httpd-manual-2.2.2-1.3.i386.rpm httpd-devel-2.2.2-1.3.i386.rpm mod_ssl-2.2.2-1.3.i386.rpm

OR simply extract the suexec binary and copy it over the original one (this may work if there are no updates to mod_ssl in the newer RPMs you have installed):

% rpm2cpio ~/src/rpm/RPMS/i386/httpd-2.2.2-1.3.i386.rpm | cpio -imVd ./usr/sbin/suexec
% sudo cp -p /usr/sbin/suexec /usr/sbin/suexec.orig
% sudo cp ./usr/sbin/suexec /usr/sbin/suexec
% sudo chown root:apache /usr/sbin/suexec
% sudo chmod 4510 /usr/sbin/suexec

Lastly, you need to make sure the permissions are set right for the directory with the cgi scripts. The directory cannot be writable by anyone but the user. This means it should be set to 744.

If you run into errors, check:
/var/log/httpd/error_log
/var/log/httpd/suexec.log

No comments: