It took me hours to get FastCGI and Suexec working properly. I'm so annoyed by the horrible docs available for it only.

First I tried using fcgid (which at least is DFSG-free) but wasn't able to run moinmoin properly at all. So I gave up on that quickly.

So I ended up trying "non-free" libapache2-mod-fastcgi. Oh what a mess. Getting the non-suexec fastcgi working was easy. Now I tried to make it a bit more secure...

The "Documentation" claims that all you need to do is enable the SuExec Wrapper. So I configured a "FastCgiServer", set -user and -group appropriately, somehow found out that I need to chown the executeable and the dir containing the executeable accordingly, and that the user and group need to be higher than 100 - ok. (Although group www-data would have been okay, I guess). Reloaded apache. And the fastcgi process is started and running with the right userid.

By now I was using a mini test-fastcgi, which prints getuid() - and so I could see that despite my process runing as a different user, it still returned 33 (=www-data). Damn!

The reason I found out later after manually changing URIs to find the right docs etc. was that I need to enable mod_suexec, then add the SuexecUserGroup option to my vhost.

For incoming requests, FastCGI will check for a running fcgi server with the same path and the same user and group ids as the one you defined in the fastcgi config. Otherwise it will start a new dynamic server. And there is no "FastCgiUserGroup" option or something obvious to configure the user and group name for the cgi path - but you need to do that for mod_suexec.

Apache config is a PITA anyway. With its pseudo-XML syntax etc. - we really need to get rid of it sometime...

So here is a short howto for using suexec and mod_fastcgi on apache2:

• Install apache2 with suexec (should be included) and fastcgi.
• Name your FastCGI .fcgi, setup +ExecCGI and the fastcgi-script handler
• Test if your fastcgi runs as www-data user (i.e. non-suexec)
• Add a "FastCgiServer" statement to the fastcgi.conf with appropriate -user and -group statements, enable FastCgiWrapper
• chown the CGI and its parent directory to these ids, also consider setting the "immutable" flag on your cgi
• Enable mod_suexec by calling "a2enmod suexec"
• In your VHost, add a "SuExecUserGroup appruser apprgroup" statement matching the usernames you gave above.
• restart apache. You should now see your fcgi process running with the correct userid. Otherwise check suexec.log and apache error log
• Try to access a web page generated by the fastcgi, and make sure it didn't start another fastcgi daemon...

... gerade habe ich in einer Statistik gelesen, dass die Raucherquote bei Singles (zugegebener maßen nicht viel, aber trotzem) höher ist.

Ich finde sowieso den Gestank von (vor allem kaltem) Rauch einfach unsexy...