![]() |
||||||||
![]() |
||||||||
![]() |
![]() |
![]() |
![]() |
![]() |
||||
![]() |
||||||||
Products | Support | Download | Contact | |||||
![]() |
Contents | Index | About the Icons
The ScriptServer® PAN Printing System (PAN) product is tested and targeted to be installed on top of the Apache web server (version 1.3), although it should theoretically work on top of any web server supporting executable CGIs. Even within the limited scope of Apache, however, there are enough configuration variances that certain points deserve particular mention.
Most of the information in this Technical Memo is expounded on in greater detail in the System-Specific Installation Guide, which we strongly recommend you read when installing the product.
Although it is possible to install PAN on top of Apache in such a way as to create a "print server appliance", the installer (and the documentation) are targeted towards new installations and situations where PAN will not be the only application running on the server. As such, and with consideration of a number of options, it was decided that the best thing to do was make PAN install in a user account so that nothing is modified elsewhere on the server (libraries, etc.) except for perhaps a few Apache settings, as discussed below.
This memo is intended to highlight areas where problems with configuration frequently occur, with the disclaimer that cavalierly presuming that it describes the correct thing to do in any particular circumstance could have the opposite effect. Different operating systems and operating system distributions are configured differently; read the appropriate Installation Guide, and take the time to determine exactly how your system is configured before making changes, as making changes to "see if it helps" is definitely not a good idea. If you have questions or are unsure of exactly what the existing state of your configuration is, please call us before making any changes.
We have another technical memo which describes a technique for validating the considerations discussed in this memo.
UserDir
and ExecCGI
A key requirement for being able to make PAN run as a user named pan
is that the user:
The Apache UserDir
directive is used to specify the name of the
directory which will be recognized as the users web folder; ExecCGI
is used to allow users to execute CGI scripts from their web folders. The following
configuration lines (placed in the Apache configuration file, usually found
as /etc/httpd/httpd.conf
) enable user web folders named web
and give the pan
user permission to execute CGIs from its web folder:
<ifmodule mod_userdir.c> UserDir web </ifmodule> <directory "/home/pan/web/cgi-bin"> Options ExecCGI SetHandler cgi-script </directory>
Appropriate file permissions also need to be established, of course. Also,
the location of the user account may not be /home/pan
, and the
user web folder may not be web
either (public_html
is also common).
suexec
and suid
Some conflicts have been noted between Apache's suexec
feature
and the suid
bit on files. Both of these address similar issues:
suexec
causes the web server process to run as the user who owns
the CGI, and suid
causes a program to run as the user who owns
the program. (They sound similar because they are!)
The problem which has been noted is that when suexec
is enabled
(recommended) and suid
is set on the CGI program files,
Apache will not allow the CGIs to run. This is documented behavior for suexec
:
suexec
suexec
at LinuxPlanet (pay special attention
to the "Danger Will Robinson!" section)In a nutshell, you will find:
"Premature end of script headers" in the Apache error log:
[Wed Aug 21 14:11:54 2002] [error] [client 192.168.79.150] Premature end of script headers: /home/pan/web/cgi-bin/status.cgi
"file is either setuid or setgid" in the suexec log:
[2002-08-21 14:11:54]: error: file is either setuid or setgid: (/home/pan/web/cgi-bin/status.cgi)
The "s" bit is turned on or off with chmod
:
chmod a+s *cgi
to turn it on, and
chmod a-s *cgi
to turn it off. (Be sure you're in the <pan-UserDir>/cgi-bin
directory when you do this)
The one file which is of particular importance is start.cgi
, which
starts the PAN daemons.
start.cgi
is installed with setuid
turnned off. Turn
it on if your server is not running suexec
.
start.cgi
is installed with setuid
turned on. Turn
it off if your server is running suexec
.
start.cgi
(without suid
)
calls starter.cgi
(with suid
) which works most of the time.
Resist the impulse to make the actual pan/web/cgi-bin
directory
readonly, especially during and immediately after installation; just don't do
it. The configuration process modifies the binaries; if you don't let it do
that, strange things will happen and we will probably have a very hard time
understanding exactly why from the various and sundry symptoms which will manifest
as a result. Your installation will basically be broken; although it's possible
to fix it, it's a whole lot easier for us to tell you to reinstall.. especially
when we know that this is a new install which doesn't work.
© 2020 GrayMatter Software Corporation | ![]() |
Privacy policy | ![]() |
Terms of use |