Using Apache with Suexec on Linux
Executing CGI Scripts as Other Users
The Apache Web server, like most if not all of the others in common use today, lets you execute arbitrarily complex operations through the use of CGI scripts. These can involve database lookups, system administration functions, real-time control of machinery, online payments, or almost anything else you can think of.
Ordinarily, all of these things occur in the context of the user
running the Apache server itself (typically nobody
on Linux systems). This is fine when you're using a system that
is owned and used by a single entity...but what if you're an
ISP with multiple companies being hosted on your system? Or an
educational institution with faculty who want to be able to
execute their own scripts? Either everything has to be accessible
to the Apache nobody
user, or you have to run
multiple instances of Apache on multiple ports and IP addresses,
one of each per user,
with the concomitant confusion of configuration files.
root
and only changes
to nobody
later!)
The suexec
(pronounced 'SUE-ex-Ek')
tool helps make this possible. It's found in the
src/support/
directory under your Apache source tree.
Assumptions in This Article
For the rest of this article, I'm going to make
the following assumptions:
- your Apache source tree starts at
./apache-1.3/
- your Apache ServerRoot is
/usr/local/web/apache
- your Apache DocumentRoot is
/usr/local/web/htdocs
- the username under which Apache runs (the value of the
User
directive in yourhttpd.conf
file) isnobody
All of the cd
and other shell commands in this article
that refer to directories use these locations.
- Skip Ahead
- 1. Executing CGI Scripts as Other Users
- 2. Executing CGI Scripts as Other Users
- 3. Executing CGI Scripts as Other Users
- 4. Executing CGI Scripts as Other Users
- 5. Executing CGI Scripts as Other Users
- 6. Executing CGI Scripts as Other Users
- 7. Executing CGI Scripts as Other Users
- 8. Executing CGI Scripts as Other Users