Ping a Specific Port

Question

Hugh Guiney

Asked: 2015-04-24 16:46:42 +0800 CST2015-04-24 16:46:42 +0800 CST 2015-04-24 16:46:42 +0800 CST

Why does Apache need o+x permissions for a Virtual Host running under suEXEC?

772

Running Apache 2.4.10 on Arch Linux.

I'm trying to restrict an SFTP user to only be able to access his home directory, a public folder under a vhost directory, without being able to access that vhost directory. Right now when I log in as the user, I can still traverse up the directory tree, and poke around the entire filesystem. Here are the current permissions:

drwxr-xr--  6 vhostname vhostname 4096 Apr 23 19:17 .
drwxrwxr-x 25 root      root      4096 Apr 23 18:43 ..
-rw-r--r--  1 vhostname vhostname   21 Apr 23 18:43 .bash_logout
-rw-r--r--  1 vhostname vhostname   57 Apr 23 18:43 .bash_profile
-rw-r--r--  1 vhostname vhostname  141 Apr 23 18:43 .bashrc
drwx--x--x  2 vhostname vhostname 4096 Apr 23 18:43 fcgi-bin
drwx--x--x  3 vhostname vhostname 4096 Apr 23 18:43 logs
drwx--x--x  2 vhostname vhostname 4096 Apr 23 18:43 private
drwx--x--x  7 user      user      4096 Apr 23 19:25 public

If I chmod o-x ., then I get a 403. It seems like Apache needs the execute permission in order to serve the site. And yet suEXEC is running the site as vhostname:vhostname, so why should a missing permission for outside users/groups matter?

Vhost config:

<VirtualHost *:80>
  ServerAdmin [email protected]
  DocumentRoot "/srv/www/vhostname/public/"
  ServerName vhostname.com
  ServerAlias *.vhostname.com
  SuexecUserGroup vhostname vhostname
  ErrorLog "/srv/www/vhostname/logs/error.log"
  LogLevel debug
  CustomLog "/srv/www/vhostname/logs/access.log" combined

  <Directory /srv/www/vhostname/public>
    AllowOverride All
    Options Indexes FollowSymLinks MultiViews
    Require all granted
  </Directory>

  # http://www.linode.com/forums/viewtopic.php?t=2982
  <IfModule !mod_php5.c>
  <IfModule !mod_php5_filter.c>
  <IfModule !mod_php5_hooks.c>
  <IfModule mod_actions.c>
  <IfModule mod_alias.c>
  <IfModule mod_mime.c>
  <IfModule mod_fcgid.c>
    AddHandler php-fcgi .php
    Action php-fcgi /fcgi-bin/php-fcgid-wrapper
    Alias /fcgi-bin/ /srv/www/vhostname/fcgi-bin/ 

    <Location /fcgi-bin/>
      SetHandler fcgid-script
      Options +ExecCGI
      Require all granted
    </Location>

    ReWriteEngine On
    ReWriteRule ^/fcgi-bin/[^/]*$ / [L,PT]
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
</VirtualHost>

1 Answers

Voted

Eric Renouf · Answer 1 · 2015-04-24T17:23:36+08:00

Best Answer

Eric Renouf

2015-04-24T17:23:36+08:002015-04-24T17:23:36+08:00

The script is executed as the user, but as though the script were setuid with the suexec user. The apache user would still need to be able to reach the script, which means execute permissions on all the directories leading to it.

1

Why does Apache need o+x permissions for a Virtual Host running under suEXEC?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?