I am trying to install gitolite 3 on a apache2 server. So I need to run a CGI script owned by git:git. My configuration for achieving this (based mainly on this) is:
<VirtualHost myserver.com>
ServerName myserver.com
ServerAlias git
SuexecUserGroup git git
ScriptAliasMatch "(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}\.(pack|idx)) | git-(upload|receive)-pack))$" \
/srv/www/gitolite_suexec_wrapper.sh/$1
</VirtualHost>
The problem I have is whenever a query match my stript alias regexp, the client receives a 403 and my apache errors logs (set to debug level) tell me the following:
client denied by server configuration: /srv/www/gitolite_suexec_wrapper.sh
My apache2 server has user wwwrun and group www. The suexec module is running, so I test everything is fine like this:
su -c "/usr/sbin/suexec2 true" wwwrun
suexec policy violation: see suexec log for more details
So this user can start suexec. Previously I had wrong permissions on my /srv/www/gitolite_suexec_wrapper.sh and had lines logged in /var/log/apache2/suexec.log, now I have nothing so I guess my rights are set up correctly regarding suexec and the wrapping script.
And I am still unsure if this script should be owned by wwwrun:www or git:git the owner of the script that I need apache2 to run. I guess from suexec help that it should be wwwrun:www, anyway I tried both and both did not work.
su -c "/srv/www/gitolite_suexec_wrapper.sh" wwwrun
Gives an output, so I think my permissions are set correctly on this script.
What should I also check? What did I do wrong?
Thanks in advance for your help!
