我试图用suexec设置lighttpd,但是在testing时出了点问题:当我尝试通过suexec启动某个东西时,它给了我日志: [2017-10-08 00:23:24]: invalid command (/srv/http/main/htdocs/cgi-bin/test.py) suexec -V输出:
-D AP_DOC_ROOT="/srv/http" -D AP_GID_MIN=100 -D AP_HTTPD_USER="lighttpd" -D AP_LOG_EXEC="/var/log/lighttpd/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=100 -D AP_USERDIR_SUFFIX="public_html"
我用来启动程序的包装器:
#!/bin/bash filename="$1" user="$(/usr/bin/stat -c "%U" "$filename") group="$(/usr/bin/stat -c "%G" "$filename") cd "$(dirname "$filename")" /usr/local/bin/suexec "$user" "$group" "$filename"
权限没问题,没有stream氓写入位设置。 尝试从两个userdirs( /home/$USER/public_html )和从docroot。
似乎只有相对path是允许的; 错误信息来自这个块:
/* * Check for a leading '/' (absolute path) in the command to be executed, * or attempts to back up out of the current directory, * to protect against attacks. If any are * found, error out. Naughty naughty crackers. */ if ((cmd[0] == '/') || (!strncmp(cmd, "../", 3)) || (strstr(cmd, "/../") != NULL)) { log_err("invalid command (%s)\n", cmd); exit(104); }
(请参阅https://anonscm.debian.org/cgit/pkg-apache/apache2.git/tree/support/suexec.c?h=upstream/2.4.27#n350 )