A SERVICE OF

logo

Open as PDF
next previous
Preparing for Installation [2]
2.3.1 suEXEC
The suEXEC is one option to consider for Stand-alone mode. If you are concerned
about the possibility of someone abusing your Apache installation via the
CrayDoc system and you are installing CrayDoc in Stand-alone mode, you may
want to consider compiling Apache with the suEXEC option. This option allows
CGI commands to run under a different user ID than the user ID of the calling
Apache web server. You can read the Apache documentation on the suEXEC
option at http://httpd.apache.org/docs/suexec.html.
Here is an example configure command line to compile in suEXEC support
on a Red Hat Linux system.
prompt> ./configure --with-layout=Red Hat --enable-suexec --suexec-uidmin=100 \
--suexec-gidmin=100 --suexec-docroot="/home/httpd/html" --suexec-caller=www
!
Caution: Be certain that the --suexec-caller value equals the User
directive value in your Apache httpd.conf file.
CrayDoc relies on file system permissions for its security, so if you have set up
CrayDoc according to the Stand-alone instructions in Section 3.1, page 12, you
probably do not need to compile the suEXEC option. However, if you do compile
the suEXEC option into Apache, your CrayDoc permissions will need to be set
accordingly. See Section 2.3.2, page 9 for more information.
2.3.2 Understanding permissions
You should only give as much permission as is absolutely necessary for CGI
scripts to be executed and for HTML and PDF files to be read. This means that
you should know, first of all, which user and group ids (UID and GID) your CGI
scripts execute with when they are called by the Apache server.
The executing UID or GID must have permission to execute your CrayDoc CGI
scripts and read your CrayDoc library files. In a Stand-alone installation, this
means you can set permissions on your CrayDoc files very tightly (for example,
500 if the file is owned by the executing UID).
In a Shared installation, file permissions must be set so that the executing UID
has executable permissions to the CrayDoc scripts in $ScriptAlias, read
permissions to all the .db and .dmp files in $ScriptAlias, and read permissions to
all the documents in $library and $manlibrary. For more details on the $ScriptAlias,
$manlibrary and $library variables, see Section 4.2.2, page 18.
S234021 9