Using Apache with Suexec on Linux - page 2
Executing CGI Scripts as Other Users
Since suexec works by wrapping an operation up in
a package executed under a different username, it's called a
wrapper. In order to execute a script under the auspices of
the wrapper, the Apache server creates a child process running
the suexec binary and passes the particulars to it.
The wrapper verifies that all the security requirements are
met, edits the list of environment variables so that only the
ones on its 'trusted' list are available, closes its logfile,
and calls some flavour of execv(2) to load the script into the
edited process environment, replacing suexec itself.
Requirements For suexec Operation
Since suexec is used to run applications on your
system on behalf of arbitrary people out on the Web, it's very
paranoid about doing anything that might compromise your system's
security. Here is a list of the conditions suexec
requires to be met before it will proceed; if any don't measure up, the
wrapper will log an error and not execute the script.
suexecmust be invoked with the correct number of arguments. If it isn't, it assumes someone is trying to penetrate your system by running it outside the Apache environment.- The username/UID invoking
suexecmust be a valid user; that is, it must be listed in the/etc/passwdfile. If it isn't, something's not quite right--and when in doubt, punt. - The username executing the wrapper must be the one that was
compiled into it when it was built. Again, a mismatch here is
interpreted as someone trying to use
suexecin other than the prescribed way. - The requested script must be a valid Web-space reference
relative to the user's directory or the DocumentRoot;
it cannot be an absolute filesystem path (i.e.,
it cannot start with a "
/") and cannot include any up-level references (i.e., no "../" references either). - The username and group under which the script is to be run
must be valid, cannot be '
root', and must be above the minimum UID and GID values (set with the--suexecuidminand--suexec-gidminoptions to theconfigurescript, which both default to 100). In addition, the group must be a valid name, and not just a numeric GID. - The wrapper must be able to change its idenity to the requested username and group.
- The script (and obviously the directory in which it lives)
must actually exist and the wrapper must be able to
chdir()to the directory. - If the script isn't from a
~usernamerequest, the script directory must be under the directory specified byDOC_ROOT(defined by the--suexec-docrootoption toconfigure). - The permissions on the specified script and its parent
directory must not allow write access to either the
groupor theothercategories. - The script file cannot be setuid or setgid.
- The script and the directory must be owned by the user and group as which it is to be executed.
- The script must be executable by the user.
suexecmust be able to allocate memory in which to reproduce the environment variable list.
As you can see, the requirements for execution are pretty stringent. The sheer number of things that can go wrong argues for the use of the wrapper only when it's really necessary.
Enabling suexec
Digg
del.icio.us
Slashdot
DZone
Reddit
StumbleUpon
Facebook
FriendFeed
Furl
Newsvine
Google
LinkedIn
MySpace
Technorati
Twitter
Windows Live
YahooBuzz
The suexec wrapper isn't turned on or off by any
particular Apache directive setting. Instead, when the Apache server
is compiled, one of the constants set (SUEXEC_BIN)
is a string pointing to the location of the suexec
binary. When the server starts, it looks for the binary at that
location; if it's found, suexec is enabled--not otherwise.
This is very important.
This means that even a normal Apache build that was performed
without any thought given to using the wrapper can suddenly
become suexec-enabled if a properly protected
suexec binary is put into place between server restarts.
In the master sources, the default value of SUEXEC_BIN
is set to "$HTTPD_ROOT/sbin/suexec"; the default value of
HTTPD_ROOT is platform-specific:
| Platform | Default value of HTTPD_ROOT |
Resulting default SUEXEC_BIN value |
|---|---|---|
| OS/2 | /os2httpd
| /os2httpd/sbin/suexec |
| Windows | /apache |
/apache/sbin/suexec |
| BeOS | /boot/home/apache |
/boot/home/apache/sbin/suexec |
| Novell NetWare | sys:/apache |
sys:/apache/sbin/suexec |
| All others | /usr/local/apache |
/usr/local/apache/sbin/suexec |
You may change the values of either--or both--of the
HTTPD_ROOT and SUEXEC_BIN constants
when you recompile the Apache server.
If Apache does find the wrapper, it reports it in the server error log like this:
[Thu Dec 30 01:24:43 1999] [notice] suEXEC mechanism enabled (wrapper:�/usr/local/web/apache/bin/suexec)
Up until Apache version 1.3.11, there was no way to be sure where a
compiled Apache server is going to be looking for the suexec
binary. As of 1.3.11, though, it's part of the 'compiled modules'
report displayed by the '-l' switch:
% /usr/local/web/apache/bin/httpd -l
Compiled-in modules:
http_core.c
mod_so.c
suexec: enabled; valid wrapper /usr/local/web/apache/bin/suexec
The 'enabled; valid' notation means that the
wrapper is actually present in the indicated location, and
the permissions are correct. If the wrapper isn't there,
or the permissions are wrong, the output will indicate that
suexec is disabled.
- Skip Ahead
- 1. Executing CGI Scripts as Other Users
- 2. Executing CGI Scripts as Other Users
- 3. Executing CGI Scripts as Other Users
- 4. Executing CGI Scripts as Other Users
- 5. Executing CGI Scripts as Other Users
- 6. Executing CGI Scripts as Other Users
- 7. Executing CGI Scripts as Other Users
- 8. Executing CGI Scripts as Other Users
Solid state disks (SSDs) made a splash in consumer technology, and now the technology has its eyes on the enterprise storage market. Download this eBook to see what SSDs can do for your infrastructure and review the pros and cons of this potentially game-changing storage technology.
