Products		Support		Download		Contact

APACHE CONSIDERATIONS WHEN INSTALLING SCRIPTSERVER® PAN PRINTING SYSTEM

Contents | Index | About the Icons

Abstract

The ScriptServer® PAN Printing System (PAN) product is tested and targeted to be installed on top of the Apache web server (version 1.3), although it should theoretically work on top of any web server supporting executable CGIs. Even within the limited scope of Apache, however, there are enough configuration variances that certain points deserve particular mention.

Most of the information in this Technical Memo is expounded on in greater detail in the System-Specific Installation Guide, which we strongly recommend you read when installing the product.

Although it is possible to install PAN on top of Apache in such a way as to create a "print server appliance", the installer (and the documentation) are targeted towards new installations and situations where PAN will not be the only application running on the server. As such, and with consideration of a number of options, it was decided that the best thing to do was make PAN install in a user account so that nothing is modified elsewhere on the server (libraries, etc.) except for perhaps a few Apache settings, as discussed below.

This memo is intended to highlight areas where problems with configuration frequently occur, with the disclaimer that cavalierly presuming that it describes the correct thing to do in any particular circumstance could have the opposite effect. Different operating systems and operating system distributions are configured differently; read the appropriate Installation Guide, and take the time to determine exactly how your system is configured before making changes, as making changes to "see if it helps" is definitely not a good idea. If you have questions or are unsure of exactly what the existing state of your configuration is, please call us before making any changes.

We have another technical memo which describes a technique for validating the considerations discussed in this memo.

UserDir and ExecCGI

A key requirement for being able to make PAN run as a user named pan is that the user:

• have a web directory; and
• be able to execute CGIs from within this directory.

The Apache UserDir directive is used to specify the name of the directory which will be recognized as the users web folder; ExecCGI is used to allow users to execute CGI scripts from their web folders. The following configuration lines (placed in the Apache configuration file, usually found as /etc/httpd/httpd.conf) enable user web folders named web and give the pan user permission to execute CGIs from its web folder:

      <ifmodule mod_userdir.c>
          UserDir web
      </ifmodule>

      <directory "/home/pan/web/cgi-bin">
            Options ExecCGI
            SetHandler cgi-script
      </directory>

Appropriate file permissions also need to be established, of course. Also, the location of the user account may not be /home/pan, and the user web folder may not be web either (public_html is also common).

suexec and suid

Some conflicts have been noted between Apache's suexec feature and the suid bit on files. Both of these address similar issues: suexec causes the web server process to run as the user who owns the CGI, and suid causes a program to run as the user who owns the program. (They sound similar because they are!)

The problem which has been noted is that when suexec is enabled (recommended) and suid is set on the CGI program files, Apache will not allow the CGIs to run. This is documented behavior for suexec:

• the Apache.Org documentation on suexec
• a tutorial on suexec at LinuxPlanet (pay special attention to the "Danger Will Robinson!" section)

In a nutshell, you will find:

"Premature end of script headers" in the Apache error log:

[Wed Aug 21 14:11:54 2002] [error] [client 192.168.79.150] Premature end of script headers: /home/pan/web/cgi-bin/status.cgi

"file is either setuid or setgid" in the suexec log:

[2002-08-21 14:11:54]: error: file is either setuid or setgid: (/home/pan/web/cgi-bin/status.cgi)

The "s" bit is turned on or off with chmod:

chmod a+s *cgi

to turn it on, and

chmod a-s *cgi

to turn it off. (Be sure you're in the <pan-UserDir>/cgi-bin directory when you do this)

The one file which is of particular importance is start.cgi, which starts the PAN daemons.

versions prior to 1.2.3

start.cgi is installed with setuid turnned off. Turn it on if your server is not running suexec.

version 1.2.3

start.cgi is installed with setuid turned on. Turn it off if your server is running suexec.

later versions

start.cgi (without suid) calls starter.cgi (with suid) which works most of the time.

Writeability of the CGI directory

Resist the impulse to make the actual pan/web/cgi-bin directory readonly, especially during and immediately after installation; just don't do it. The configuration process modifies the binaries; if you don't let it do that, strange things will happen and we will probably have a very hard time understanding exactly why from the various and sundry symptoms which will manifest as a result. Your installation will basically be broken; although it's possible to fix it, it's a whole lot easier for us to tell you to reinstall.. especially when we know that this is a new install which doesn't work.

© 2020 GrayMatter Software Corporation

Privacy policy

Terms of use