Troubleshooting - Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual

40.7.4 CGI Scripts
Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially
run arbitrary commands and therefore present a general security issue. Scripts that will
be executed from the server should only be installed from sources the server adminis-
trator trusts—allowing users to run their own scripts is generally not a good idea. It is
also recommended to do security audits for all scripts.
To make the administration of scripts as easy as possible, it is common practice to
limit the execution of CGI scripts to specific directories instead of globally allowing
them. The directives ScriptAlias and Option ExecCGI are used for configura-
tion. The SUSE Linux Enterprise Server default configuration does not allow execution
of CGI scripts from everywhere.
All CGI scripts run as the same user, so different scripts can potentially conflict with
each other. The module suEXEC lets you run CGI scripts under a different user and
group.
40.7.5 User Directories
When enabling user directories (with mod_userdir or mod_rewrite) you should
strongly consider not allowing .htaccess files, which would allow users to overwrite
security settings. At least you should limit the user's engagement by using the directive
AllowOverRide. In SUSE Linux Enterprise Server, .htaccess files are enabled
by default, but the user is not allowed to overwrite any Option directives when using
mod_userdir (see the /etc/apache2/mod_userdir.conf configuration file).

40.8 Troubleshooting

If Apache does not start, the Web page is not accessible, or users cannot connect to the
Web server, it is important to find the cause of the problem. Here are some typical
places to look for error explanations and important things to check.
First, rcapache2 (described in Section 40.3, "Starting and Stopping Apache"
(page 754)) is verbose about errors, so can be quite helpful if it is actually used for op-
erating Apache. Sometimes it is tempting to use the binary /usr/sbin/httpd2 for
774 Installation and Administration