In this step we will setup cgi on apache server. Add user cgiuser for this purpose.

[root@security1 www]# useradd cgiuser

We should make virtual user on system. It would be call cgi20.setenforce.com. So you should enable first Virtual hosts in /etc/httpd/conf/httpd.conf, it means that you should remove comment from next line:

NameVirtualHost *:80

and add comment to next line:

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

I make file /etc/httpd/conf.d/cgi20.conf where I put setup for my new host. You will need to use CGI scripts outside of ScriptAliased directories. Of course you don't need to know all directives, all of this you can take from /etc/httpd/conf/httpd.conf.

VirtualHost *:80>
ServerAdmin webmaster@cgi20.setenforce.com
DocumentRoot /var/www/virtual/
ServerName cgi20.setenforce.com
ErrorLog /var/log/httpd/cgi/cgi20-error_log
CustomLog /var/log/httpd/cgi/cgi20-access_log common
ScriptAlias /cgi-bin/ "/var/www/virtual/cgi-bin/"
Directory "/var/www/virtual/cgi-bin">
Options ExecCGI
AddHandler cgi-script .cgi .sh
/Directory>
/VirtualHost>

After this you should make necessary files and directories.

[root@security1 www]# /etc/init.d/httpd restart
[root@security1 www]# mkdir -p virtual/cgi-bin
[root@security1 www]# chown -R cgiuser:cgiuser virtual/
[root@security1 www]# chmod -R 755 virtual/

To test this, inside directory /var/www/virtual/cgi-bin make script which will be called setenforce.sh with next content:

#!/bin/bash
echo Content-type:text/html
echo
whoami
echo ''
id || echo "will not work with SELinux."
echo ''

This script should be in owner cgiuser and to have permission 755. OK, now this will work as apache user, you can test this running http://cgi20.setenforce.com/cgi-user/setenforce.sh

[root@security1 cgi-bin]# setsebool -P httpd_enable_cgi on

Add in cgi20.conf next line:

SuexecUserGroup cgiuser cgiuser

This mean that script will be executed with cgiuser privileges. I doesn't want to people can see symbolic links and directory information. So I make /etc/httpd/conf.d/www20.conf with next content:

VirtualHost *:80>
ServerAdmin webmaster@www20.setenforce.com
DocumentRoot /var/www/html/
ServerName www20.setenforce.com
ErrorLog /var/log/httpd/www20/www20-error_log
CustomLog /var/log/httpd/www20/www20-access_log common
Directory /var/www/html/options
Options -FollowSymLinks
/Directory
/VirtualHost

In /var/www/html/options/ directory I make symbolic link just like this:

[root@security1 www20]# ln -s / /var/www/html/options/link.jpg

After restart service I can't see content for /etc/hosts for example thorough web, see bellow:

[root@station20 ~]# links --dump http://www20.setenforce.com/options/link.jpg/etc/hosts