Using Apache with Suexec on Linux - page 3
Executing CGI Scripts as Other Users
Because most of
suexec's control parameters are
defined at compile-time, the only way to change them is to
recompile. And since the wrapper works very closely
with the Apache Web server--to the point of both applications
having to share some compile-time definitions--the way to
suexec is to recompile all of Apache.
If you've never done this before, you can see a brief
treatment of the process in the "Building Apache at Lightspeed" section of this article.
There are several
suexec-specific options to the
apache-1.3/configure script. Here they are:
- The presence of this option on the command line simply
configurescript that you want the wrapper to be built as well. Without this option,
suexecwill not be built, even if there are other
suexecoptions on the command line.
- This must be the username under which your Apache
server runs; that is, the one specified on the
Userdirective outside all
suexecis invoked by any other user, it assumes it's some sort of probing attempt and fails to execute (after logging the user mismatch).
The default username is
- This specifies the ancestor directory under which all CGI
scripts need to reside in order to be acceptable to
suexec. (This restriction doesn't apply to scripts activated by
~username-style URLs.) If you have multiple virtual hosts using
suexec, their DocumentRoots (if you're using
.cgifiles) must all be located somewhere in the hierarchy under this directory, or else the wrapper will assume someone is trying to execute something unexpected and will log it as an intrusion attempt.
ScriptAliased directories must be under this hierarchy as well, and this is in fact more important for them since they commonly aren't under the DocumentRoot.
The default value for this option is PREFIX
/share/htdocs, where 'PREFIX' comes from the value of the
--prefixoption, explicit or implied.
- Another one of
suexec's restrictions is that the user it's being asked to execute the script as mustn't be considered 'privileged.' On Linux and other Unix-like systems this generally means that it mustn't be the
suexectakes this a step further and will refuse to execute as any user with a group ID less than the value of this option.
The default value for this option, if not specified, is
This specifies the name of the file to which the wrapper will report
errors and successful invocations. It is opened and accessed
root, but closed before control is passed to the script.
The default for this option is PREFIX
/var/log/suexec_log, where 'PREFIX' is the value from the
- Not only is the list of environment variables examined and
sanitized before the script is invoked, but the default
PATHis set to a known list of directories as well. This list is hard-coded at compile-time, and is defined by this option.
The default value for
As with the
--suexec-gidminoption described earlier, this option is used to inform
suexecof forbidden UID values. If a request is made that would result in the execution of a script by a user with a UID equal to or less than this value, the wrapper will log the fact and not process the request. This foils things like a request for
The default value for this option is
- This option defines the default permission mode to be
applied to files created by the script (if it doesn't explicitly
set them itself). The umask is specified as a three-digit
octal number indicating which permission bits should not
be set; see the description of the
umask(1)command for more details.
If this option isn't defined at compile-time, at run-time the
suexecwrapper will inherit the umask setting from the parent Apache server process.
- This option specifies the subdirectory underneath a user's
home directory that
suexecwill use to find scripts for
~username-style URLs. This needs to match the setting of the
UserDirdirective in your server configuration files.
suexeccan only handle simple subdirectory expressions. The more complex pattern-handling capabilities of the
mod_userdirmodule (which implements the
UserDirdirective) cannot be used with the
If you want to change the location of the
binary, you can do so by adding a new definition of
to the compilation flags:
% env CFLAGS="-Wall -DSUEXEC_BIN=\"/usr/local/web/apache/suexec\"" \ > ./configure --enable-suexec ...
You should be extremely cautious about changing other definitions, such
HTTPD_ROOT, however, since
the only part of Apache that uses them.
- Skip Ahead
- 1. Executing CGI Scripts as Other Users
- 2. Executing CGI Scripts as Other Users
- 3. Executing CGI Scripts as Other Users
- 4. Executing CGI Scripts as Other Users
- 5. Executing CGI Scripts as Other Users
- 6. Executing CGI Scripts as Other Users
- 7. Executing CGI Scripts as Other Users
- 8. Executing CGI Scripts as Other Users