Delegating Administration in Apache

We’ll see how to use the UserDir directive (for more on UserDir, refer to PCQuest, November 2001, page 62) to assign a Web directory to users with login accounts on a Linux machine running the Apache Web Server. We’ll also see the use of .htaccess file, which will let Linux users host their Web pages. This can be used in an educational institution where each student can host Web pages in his home directory, or in an organization, where the HR department can use it to maintain records of all the employees. A basic homepage template can be made for all the employees, and subsequently filled up for each one. It’s a simple task and you won’t have to go through the hassles of configuring virtual hosting. Using the UserDir directive, you need to just specify the directory name relative to the Linux user’s home directory, ie /home/. The pre-existing line:

UserDir public_html

in httpd.conf specifies that Linux users can host Web pages in a subdirectory named public_ html within their home directory.

The Web pages of each user can be accessed using the URL:

http:///~/

Note the tilde (~) before the login name. Let’s start from scratch by creating a user account. Issue the following command at the Linux command line as root:

useradd shekhar



passwd shekhar

These commands will create a login name ‘shekhar’ and will prompt to assign a password to it. Use your own login name instead of ‘shekhar’ to login. You will be dropped into the home directory, which in our case is /home/ shekhar. Create a directory named public_html within this directory. Next, create a simple HTML page. Type in the following HTML tags using a Linux text editor.

Welcome to Shekhar’s home page

Save this file with the name index.html in the public_html directory. To know why we named the file ‘index.html’, read about the directive named ‘DirectoryIndex’ in our November 2001 issue. The home directory of shekhar, ie, /home/shekhar must have the worldwide x (execute) permission set. This is done by issuing the command:

chmod o+x 



/home/shekhar

Also, the files created or copied (like the index.html file) in the public_html directory must be world readable (chmod o+r ). From the same Linux machine running the Web server, type in the following URL in the Web browser to access the index.html page.

http://127.0.0.1/~shekhar/

In November we also talked about the Options directive, which can be used to set options for a Web directory, for instance, /var/www/html (the document root). Since the directory defined by UserDir is also a Web directory, we can use the Options directive for it too. Insert the following lines below the UserDir directive.

Options Indexes MultiViews Includes ExecCGI


AllowOverride None


Order allow,deny


Allow from all

This defines settings for the Web directory public_html. The asterisk (*) is substituted by the specified in the URL, after the tilde. You can experiment with all the options explained in November by using /home/shekhar/public_html directory in place of /var/www/ html. All will work, except for SSIs with ‘exec’ command and CGI scripts. For the former you get an error ‘an error occurred while processing this directive’ and for the latter you get an ‘Internal Server Error’. The culprit for both these errors is something called ‘suEXEC’. All Linux/Unix processes–applications, daemons (servers), etc–run as a user and group which has an entry in the /etc/passwd and /etc/group file respectively. Conventionally the CGI and SSI pages are executed as user ‘nobody’ and group ‘nobody’–the same user and group that the Apache Web server process runs as. This user and group account has least access privileges on a Linux system. But due to the suEXEC feature, these pages are executed as the same user privileges whose pages are referred through the URL, ie, shekhar in our case.

suEXEC does not permit to escape from the Web directory into the file system and the ‘ls’ command is located in /bin directory. So the SSI page we had written in November will not work. But with some tweaking we can make CGI scripts work with suEXEC. A restriction imposed by suEXEC is the directory specified by the UserDir directive as well as the CGI script file must be writable only by the owner (shekhar), not even by the group. So we remove the write permission for the group by:

chmod g-w /home/shekhar/public_html



chmod g-w /home/shekhar/public _html/test.cgi

Now the script will work when invoked by the URL:

http://127.0.0.1/~shekhar/test.cgi

If you want to disable susEXEC altogether, then move the file named suexec from the /usr/sbin directory to some other directory and then restart Apache. To enable suEXEC again, copy the file again to the /usr/sbin directory. The log file showing errors related to suEXEC is suexec_log. You can find this file in /var/ log/httpd. You may refer to http://httpd. apache.org/ docs/ suexec.html to know more on suEXEC.

Giving access to httpd.conf to any user can be a security hazard. We can use the ‘Options’ and ‘Limit’ values for the AllowOverride directive. The former allows delegation of ‘Options’ directive and the later allows delegation of ‘Order’, ‘Allow’ and ‘Deny’ directives. The modified lines for public_html Web directory will now look like:

AllowOverride Options Limit

Now login as user ‘shekhar’ and create a file named ‘.htaccess’ in public_html directory and insert the removed directives in this file. So now the ‘.htaccess’ file will look like:

Options Indexes MultiViews Includes ExecCGI



Order allow,deny


Allow from all

User ‘shekhar’ can modify this file to include or exclude directives without touching httpd.conf. This file must be readable by others (chmod o+r .htaccess). The Allowoverride directive can accept three more values– FileInfo, Indexes, AuthConfig–besides Options and Limit. The former two are related to Web document types, Web directory presentation, language icons, etc. The AuthConfig directive is used to password protect user directory (or any Web directory).

Shekhar Govindarajan