April 21, 2014

Using Apache with Suexec on Linux - page 4

Executing CGI Scripts as Other Users

  • January 21, 2000
  • By Ken Coar

Since the point of suexec is to handle certain Web requests under a different identity than the Apache server user, there needs to be some way to specify just which user. There are two places from which Apache will draw this information:

  • The username from URLs such as username/foo.cgi>,
  • The User and Group directives in the server configuration file, httpd.conf.

The username to use is determined by checking these in the above order.

The User and Group directives are ordinarily ignored inside containers, but in a suexec-enabled server they take on new meaning for the virtual host, defining the identity under which CGI scripts requested through that host will be executed. If a virtual host doesn't have a User directive, it inherits the server-wide value (which defines the username under which the server itself is running) which will probably result in normal, non-suexec-enabled behaviour.

Incorporating Suexec Into Your Apache Server
If you have an Apache 1.3 server binary, it's capable of using a suexec wrapper if it finds one in the expected place. (Until Apache 1.3.11, there was no convenient way to find out what the 'expected place' is; as of version 1.3.11, you can find out the value of the SUEXEC_BIN compile-time constant, and whether there's a valid wrapper at that location, with the 'httpd�-l' runtime switch.)

If you're working with an Apache server that you inherited, or installed as part of a package, you might not be sure whether suexec is in place or being used. If you want to be sure about it, the best thing to do is to use the Apache build procedure, which will dot the Is and cross the Ts when you 'make�install'.

The main mechanism suexec uses to ensure safety is to rely on a bunch of settings made at compile-time. Likewise, the only way Apache can be made to even think about using suexec is it if has been compiled with that in mind. This means that you'll probably need to compile both the Apache server and suexec yourself. This is easily done as part of the normal Apache build. Just use the following command and the rest is easy:

    % cd ./apache-1.3/
    % ./configure \
    >        --enable-shared=max \
    >        --enable-module=most \
    >        --with-layout=Apache \
    >        --prefix=/usr/local/web/apache \
    >        --with-port=80 \
    >        --suexec-enable \
    >        --suexec-caller=nobody \
    >        --suexec-docroot=/usr/local/web
The Red Hat 6.1 Apache RPM actually installs suexec by default, which may cause you problems. If you don't want it, you'll need to either rebuild Apache or disable the suexec execution.

Disabling Suexec
If your Apache installation is currently suexec-enabled, it's very simple to turn the wrapper off. Just do one or more of the following to the suexec binary:

  • Clear the setuid bit
  • Change the owner to be someone other than root
  • Delete or rename it

and then restart the Apache server. Doing any one of these will render the suexec facility unusable, and Apache won't even try to involve it. To verify that your action has had the desired effect, verify (if you're running Apache 1.3.11 or later) with the "/usr/local/web/apache/bin/httpd�-l" command. If the output says suexec is enabled, you haven't done enough yet.

Sitemap | Contact Us