"Perl/CGI SuExec-Workaround" permission denied

[knox]

Hi,

 

i am using froxlor 0.9.34-1 on debian jessie with apache 2.4 and suexec and i came across a little issue regarding the "Perl/CGI SuExec-Workaround":

AH00037: Symbolic link not allowed or link target not accessible: /var/customers/webs/web1/cgi-bin

after having a closer look arround i found the cause:

lrwxrwxrwx 1 root root 55 Nov 22 11:27 /var/customers/webs/web1/cgi-bin -> /var/www/cgi-bin/web1/7c80caaaa75a9aaaaf043edaaaacfaaa/

the symlink owner is root:root, but that is not allowed by the apache config which sets +SymLinksIfOwnerMatch:

<Directory "/var/customers/webs/web1/">
  Options -Indexes +ExecCGI -MultiViews +SymLinksIfOwnerMatch +FollowSymLinks
  AllowOverride None
  AddHandler cgi-script .cgi .pl
  Require all granted
</Directory>

as a temporary workarround i have changed the owner of the symlink to match the owner of the target so apache has nothing more to complain:

chown -h web1:web1 /var/customers/webs/web1/cgi-bin

i am not sure what is the better approach for a permanent fix, whether to add the chown to the suexec-workaround or to get rid of +SymLinksIfOwnerMatch. probably the latter is the worse.

[knox]

The cron task does not chown the created symlink correctly. I have created a pull request which fixes the issue.

[d00p]

the cgi-bin folder should be owned by the user, else he would not be able to put stuff in there using FTP or similar...need to check the cron if it does correctly chown

[knox]

in case of the "Perl/CGI SuExec-Workaround" the cgi-bin is a symlink. and indeed it has wrong permissions. do you have a hint for me where i should look for the piece of script that actually creates it? once i find the root cause for the wrong ownership i'm going to fix it and create a pull request.