Just thought I would record a note here wrt something I figured out, in case (1) somebody else wants to do the same thing, or (2) heck, I might forget and need reminding.
My goal: I want to have more than one unix user ID running CGI scripts within the same virtual host. In particular, within the same virtual host with a unique IP, allowing it to use an SSL cert - i.e. two different unix user IDs, same SSL cert.
Standard dreamhost does not allow this. Suexec allows only one unix user ID per virtual host / subdomain. Dreamhost does not allow setuid on the NFS filesystems of normal shared hosting. Although DH allows multiple unix user IDs, it does not enabled userdir by default. Which means, as far as I can tell, that in Dreamhost’s shared hosting setup you can (a) use multiple UNIX user IDs in different hosts, with separate unique IP and SSL certificates for each of them, paying roughlly 43$ for each unique IP, or (b) you can save money, and use only a single unique IP and cert, but then you lose the security of having different web services running as different unix user IDs, or © you can use different unix user IDs in different subdomains, but then you don’t get SSL.
I think that both separate unix user IDs and SSL matter. But, since I am currently developing my personal use sites - I want the UNIX user Ids to isolate test cgi scripts from “production” - I can’'t afford to pay for extra unique IPs.
(In particular, I think that every mediawiiki site needs SSL - you type passwords in).
So, here’s what I have done:
I’ve signed up for Dreamhost PS, Linux Vserver.
(I know: I could have had several unique IPs for the cost.)
This gives me root in a box, the ability to administer Apache, and the ability to run setuid CGI.
As you can see above, I’m thrashing on whether to use Apache userdir or setuid, or something else.
I’d prefer not to modify dreamhost’s configuration at all, or at least not much. Userdir seems to require modifications to Apache httpd.conf.
I’m not sure how to arrange to share a single unique IP amongst multiple hosts, but I’m guessing it would require similar httpd.conf modifications.
I just got setuid cgi working. I am ashamed to admit I got stumped here for a while. I could see that setuid was working from an interactive shell, but failing from the web. Apache’s suexec log was saying that it was encountering setuid/setgi, but not saying that was unacceptable. But it was.
So, I had to invoke the setuid cgi scripts indirectly, not from suexec itself, but from the script suexec started.
I haven’t decided if I prefer to use setuid cgi or suexec/userdir. Neither is entirely satisfactory: setuid is easy to get wrong, but I like Dreamhost’s management of my configuration.[hr]
By the way, the biggest downside of sharing a single unique IP/SSL cert as I describe is that (1) Dreamhost’s easy one click installs are given their own subdomains, so can’t use it, while (2) Dreamhost’s advanced one-click installs can use this - but will all live in same user ID.
I would prefer that this not be so, but might live with it, because
(1) sending passwords, e.g. for wiki, without SSL, is bad.
(2) the standard Dreamhost packages are probably fairly secure
I most especially want maximum isolation for the CGI scripts i am writing, which I can get.