181e56d8b348d301d615ccf5465ae600fee2867berikabele<?xml version="1.0" encoding="ISO-8859-1"?>

181e56d8b348d301d615ccf5465ae600fee2867berikabele<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

181e56d8b348d301d615ccf5465ae600fee2867berikabele<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--

5a58787efeb02a1c3f06569d019ad81fd2efa06end<title>suEXEC Support - Apache HTTP Server</title>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />

d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />

d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<script src="/style/scripts/prettify.js" type="text/javascript">

d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen</script>

d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<link href="/images/favicon.ico" rel="shortcut icon" /></head>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<body id="manual-page"><div id="page-header">

d229f940abfb2490dee17979e9a5ff31b7012eb5rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>

3f08db06526d6901aa08c110b5bc7dde6bc39905nd<p class="apache">Apache HTTP Server Version 2.5</p>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<img alt="" src="/images/feather.gif" /></div>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div id="path">

3f08db06526d6901aa08c110b5bc7dde6bc39905nd<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<div class="toplang">

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<p><span>Available Languages: </span><a href="/en/suexec.html" title="English">&nbsp;en&nbsp;</a> |

af84459fbf938e508fd10b01cb8d699c79083813takashi<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a> |

7f5b59ccc63c0c0e3e678a168f09ee6a2f51f9d0nd<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |

e1e8390280254f7f0580d701e583f670643d4f3fnilgun<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |

f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e">&nbsp;tr&nbsp;</a></p>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd</div>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <p>The <strong>suEXEC</strong> feature provides users of the Apache

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen HTTP Server the ability

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to run <strong>CGI</strong> and <strong>SSI</strong> programs

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen under user IDs different from the user ID of the calling

ce71a46e27f6e2ae210e1f925545aa6e4f74db74jsl web server. Normally, when a CGI or SSI program executes, it

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen runs as the same user who is running the web server.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Used properly, this feature can reduce

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen considerably the security risks involved with allowing users to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen develop and run private CGI or SSI programs. However, if suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen is improperly configured, it can cause any number of problems

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen and possibly create new holes in your computer's security. If

5f48875017569cc7610b17d852c44e02684d9d5aerikabele you aren't familiar with managing <em>setuid root</em> programs

5f48875017569cc7610b17d852c44e02684d9d5aerikabele and the security issues they present, we highly recommend that

5f48875017569cc7610b17d852c44e02684d9d5aerikabele you not consider using suEXEC.</p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end </div>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#before">Before we begin</a></li>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#model">suEXEC Security Model</a></li>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#install">Configuring &amp; Installing

5a58787efeb02a1c3f06569d019ad81fd2efa06end suEXEC</a></li>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#enable">Enabling &amp; Disabling

5a58787efeb02a1c3f06569d019ad81fd2efa06end suEXEC</a></li>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#usage">Using suEXEC</a></li>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock:

5a58787efeb02a1c3f06569d019ad81fd2efa06end Warnings &amp; Examples</a></li>

30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="before" id="before">Before we begin</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Before jumping head-first into this document,

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen you should be aware that certain assumptions are made about you and

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen the environment in which you will be using suexec.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>First, it is assumed that you are using a UNIX

e884f58207082fa2136d5fc86635c31252338948erikabele derivative operating system that is capable of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>setuid</strong> and <strong>setgid</strong> operations.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen All command examples are given in this regard. Other platforms,

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen if they are capable of supporting suEXEC, may differ in their

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Second, it is assumed you are familiar with

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen some basic concepts of your computer's security and its

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen administration. This involves an understanding of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>setuid/setgid</strong> operations and the various

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen effects they may have on your system and its level of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen security.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Third, it is assumed that you are using an

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>unmodified</strong> version of suEXEC code. All code

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for suEXEC has been carefully scrutinized and tested by the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen developers as well as numerous beta testers. Every precaution

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen has been taken to ensure a simple yet solidly safe base of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen code. Altering this code can cause unexpected problems and new

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen security risks. It is <strong>highly</strong> recommended you

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen not alter the suEXEC code unless you are well versed in the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen particulars of security programming and are willing to share

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen your work with the Apache HTTP Server development team for consideration.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Fourth, and last, it has been the decision of

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen the Apache HTTP Server development team to <strong>NOT</strong> make suEXEC part of

9045c2ce2212b7e911e8a27a4ae6aa9ca73f3d91rbowen the default installation of Apache httpd. To this end, suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration requires of the administrator careful attention

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to details. After due consideration has been given to the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen various settings for suEXEC, the administrator may install

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC through normal installation methods. The values for

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen these settings need to be carefully determined and specified by

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the administrator to properly maintain system security during

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the use of suEXEC functionality. It is through this detailed

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen process that we hope to limit suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen installation only to those who are careful and determined

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen enough to use it.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Still with us? Yes? Good. Let's move on!</p>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="model" id="model">suEXEC Security Model</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Before we begin configuring and installing

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC, we will first discuss the security model you are about

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to implement. By doing so, you may better understand what

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen exactly is going on inside suEXEC and what precautions are

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen taken to ensure your system's security.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>suEXEC</strong> is based on a setuid

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen "wrapper" program that is called by the main Apache HTTP Server.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This wrapper is called when an HTTP request is made for a CGI

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen or SSI program that the administrator has designated to run as

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen a userid other than that of the main server. When such a

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen request is made, Apache httpd provides the suEXEC wrapper with the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program's name and the user and group IDs under which the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program is to execute.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>The wrapper then employs the following process

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to determine success or failure -- if any one of these

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen conditions fail, the program logs the failure and exits with an

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen error, otherwise it will continue:</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <ol>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele <strong>Is the user executing this wrapper a valid user of

e1e8390280254f7f0580d701e583f670643d4f3fnilgun this system?</strong>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele

5f48875017569cc7610b17d852c44e02684d9d5aerikabele <p class="indent">

5f48875017569cc7610b17d852c44e02684d9d5aerikabele This is to ensure that the user executing the wrapper is

5f48875017569cc7610b17d852c44e02684d9d5aerikabele truly a user of the system.

5f48875017569cc7610b17d852c44e02684d9d5aerikabele </p>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele </li>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele

5f48875017569cc7610b17d852c44e02684d9d5aerikabele <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Was the wrapper called with the proper number of

e1e8390280254f7f0580d701e583f670643d4f3fnilgun arguments?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The wrapper will only execute if it is given the proper

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen number of arguments. The proper argument format is known

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen to the Apache HTTP Server. If the wrapper is not receiving

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the proper number of arguments, it is either being

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen hacked, or there is something wrong with the suEXEC

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen portion of your Apache httpd binary.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is this valid user allowed to run the

e1e8390280254f7f0580d701e583f670643d4f3fnilgun wrapper?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Is this user the user allowed to run this wrapper? Only

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen one user (the Apache user) is allowed to execute this

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Does the target CGI or SSI program have an unsafe

e1e8390280254f7f0580d701e583f670643d4f3fnilgun hierarchical reference?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele Does the target CGI or SSI program's path contain a leading

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele '/' or have a '..' backreference? These are not allowed; the

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele target CGI/SSI program must reside within suEXEC's document

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele root (see <code>--with-suexec-docroot=<em>DIR</em></code>

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele below).

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <strong>Is the target user name valid?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Does the target user exist?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <strong>Is the target group name valid?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Does the target group exist?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target user <em>NOT</em> superuser?</strong>

aaf7b7f4cc1be050310c3d7f48bce0ec67e174e4nd

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

ec5fd46fd2a4a263bb5cdf419e8d4106007a2ac8gryzor suEXEC does not allow <code><em>root</em></code>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele to execute CGI/SSI programs.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target userid <em>ABOVE</em> the minimum ID

e1e8390280254f7f0580d701e583f670643d4f3fnilgun number?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The minimum user ID number is specified during

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration. This allows you to set the lowest possible

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen userid that will be allowed to execute CGI/SSI programs.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This is useful to block out "system" accounts.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target group <em>NOT</em> the superuser

e1e8390280254f7f0580d701e583f670643d4f3fnilgun group?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

5f48875017569cc7610b17d852c44e02684d9d5aerikabele Presently, suEXEC does not allow the <code><em>root</em></code>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele group to execute CGI/SSI programs.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target groupid <em>ABOVE</em> the minimum ID

e1e8390280254f7f0580d701e583f670643d4f3fnilgun number?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The minimum group ID number is specified during

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration. This allows you to set the lowest possible

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen groupid that will be allowed to execute CGI/SSI programs.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This is useful to block out "system" groups.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Can the wrapper successfully become the target user

e1e8390280254f7f0580d701e583f670643d4f3fnilgun and group?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Here is where the program becomes the target user and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen group via setuid and setgid calls. The group access list

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen is also initialized with all of the groups of which the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen user is a member.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele <strong>Can we change directory to the one in which the target

5f48875017569cc7610b17d852c44e02684d9d5aerikabele CGI/SSI program resides?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

5f48875017569cc7610b17d852c44e02684d9d5aerikabele If it doesn't exist, it can't very well contain files. If we

157312a2bcbad225c12462fc6d74b1aa3f32dceehumbedooh can't change directory to it, it might as well not exist.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <strong>Is the directory within the httpd webspace?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If the request is for a regular portion of the server, is

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele the requested directory within suEXEC's document root? If

e1e8390280254f7f0580d701e583f670643d4f3fnilgun the request is for a <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele within the directory configured as suEXEC's userdir (see

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <a href="#install">suEXEC's configuration options</a>)?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the directory <em>NOT</em> writable by anyone

e1e8390280254f7f0580d701e583f670643d4f3fnilgun else?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We don't want to open up the directory to others; only

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the owner user may be able to alter this directories

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen contents.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <strong>Does the target CGI/SSI program exist?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If it doesn't exists, it can't very well be executed.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Is the target CGI/SSI program <em>NOT</em> writable

e1e8390280254f7f0580d701e583f670643d4f3fnilgun by anyone else?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We don't want to give anyone other than the owner the

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele ability to change the CGI/SSI program.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Is the target CGI/SSI program <em>NOT</em> setuid or

e1e8390280254f7f0580d701e583f670643d4f3fnilgun setgid?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We do not want to execute programs that will then change

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen our UID/GID again.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target user/group the same as the program's

e1e8390280254f7f0580d701e583f670643d4f3fnilgun user/group?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Is the user the owner of the file?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Can we successfully clean the process environment

e1e8390280254f7f0580d701e583f670643d4f3fnilgun to ensure safe operations?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC cleans the process' environment by establishing a

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen safe execution PATH (defined during configuration), as

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen well as only passing through those variables whose names

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen are listed in the safe environment list (also created

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen during configuration).

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Can we successfully become the target CGI/SSI program

e1e8390280254f7f0580d701e583f670643d4f3fnilgun and execute?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele Here is where suEXEC ends and the target CGI/SSI program begins.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </ol>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

e884f58207082fa2136d5fc86635c31252338948erikabele <p>This is the standard operation of the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC wrapper's security model. It is somewhat stringent and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen can impose new limitations and guidelines for CGI/SSI design,

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen but it was developed carefully step-by-step with security in

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen mind.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>For more information as to how this security

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen model can limit your possibilities in regards to server

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration, as well as what security risks can be avoided

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen document.</p>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="install" id="install">Configuring &amp; Installing

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive suEXEC</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Here's where we begin the fun.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>suEXEC configuration

181e56d8b348d301d615ccf5465ae600fee2867berikabele options</strong><br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dl>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dt><code>--enable-suexec</code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>This option enables the suEXEC feature which is never

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen installed or activated by default. At least one

5f48875017569cc7610b17d852c44e02684d9d5aerikabele <code>--with-suexec-xxxxx</code> option has to be provided

5f48875017569cc7610b17d852c44e02684d9d5aerikabele together with the <code>--enable-suexec</code> option to let

5f48875017569cc7610b17d852c44e02684d9d5aerikabele APACI accept your request for using the suEXEC feature.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron

5f48875017569cc7610b17d852c44e02684d9d5aerikabele <dd>The path to the <code>suexec</code> binary must be hard-coded

5f48875017569cc7610b17d852c44e02684d9d5aerikabele in the server for security reasons. Use this option to override

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron the default path. <em>e.g.</em>

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron <code>--with-suexec-bin=/usr/sbin/suexec</code></dd>

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-caller=<em>UID</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

d0dd037bdab65b455b4056d58be501ca14e61dfemartin <dd>The <a href="mod/mpm_common.html#user">username</a> under which

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen httpd normally runs. This is the only user allowed to

f6066dc0a6ad0432b74774e290c04c3cc4aa2dafrbowen execute the suEXEC wrapper.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define to be the subdirectory under users' home

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen directories where suEXEC access should be allowed. All

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen executables under this directory will be executable by suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen as the user so they should be "safe" programs. If you are

e1e8390280254f7f0580d701e583f670643d4f3fnilgun using a "simple" <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun directive (ie. one without a "*" in it) this should be set to the same

e1e8390280254f7f0580d701e583f670643d4f3fnilgun value. suEXEC will not work properly in cases where the <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> directive points to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen a location that is not the same as the user's home directory

e1e8390280254f7f0580d701e583f670643d4f3fnilgun as referenced in the <code>passwd</code> file. Default value is

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>public_html</code>".<br />

e1e8390280254f7f0580d701e583f670643d4f3fnilgun If you have virtual hosts with a different <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> for each,

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen you will need to define them to all reside in one parent

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen directory; then name that parent directory here. <strong>If

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen this is not defined properly, "~userdir" cgi requests will

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen not work!</strong></dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <dd>Define as the DocumentRoot set for httpd. This will be

e1e8390280254f7f0580d701e583f670643d4f3fnilgun the only hierarchy (aside from <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The

e1e8390280254f7f0580d701e583f670643d4f3fnilgun default directory is the <code>--datadir</code> value with the suffix

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>/htdocs</code>", <em>e.g.</em> if you configure with

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>--datadir=/home/apache</code>" the directory

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>/home/apache/htdocs</code>" is used as document root for the

e1e8390280254f7f0580d701e583f670643d4f3fnilgun suEXEC wrapper.</dd>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define this as the lowest UID allowed to be a target user

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for suEXEC. For most systems, 500 or 100 is common. Default

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen value is 100.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define this as the lowest GID allowed to be a target

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen group for suEXEC. For most systems, 100 is common and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen therefore used as default value.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dd>This defines the filename to which all suEXEC

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron transactions and errors are logged (useful for auditing and

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron debugging purposes). By default the logfile is named

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>suexec_log</code>" and located in your standard logfile

e1e8390280254f7f0580d701e583f670643d4f3fnilgun directory (<code>--logfiledir</code>).</dd>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define a safe PATH environment to pass to CGI

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen executables. Default value is

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </dl>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <h3>Compiling and installing the suEXEC wrapper</h3>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>If you have enabled the suEXEC feature with the

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>--enable-suexec</code> option the <code>suexec</code> binary

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen (together with httpd itself) is automatically built if you execute

e1e8390280254f7f0580d701e583f670643d4f3fnilgun the <code>make</code> command.</p>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>After all components have been built you can execute the

e1e8390280254f7f0580d701e583f670643d4f3fnilgun command <code>make install</code> to install them. The binary image

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>suexec</code> is installed in the directory defined by the

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>--sbindir</code> option. The default location is

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "/usr/local/apache2/bin/suexec".</p>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>Please note that you need <strong><em>root

e1e8390280254f7f0580d701e583f670643d4f3fnilgun privileges</em></strong> for the installation step. In order

e1e8390280254f7f0580d701e583f670643d4f3fnilgun for the wrapper to set the user ID, it must be installed as

e1e8390280254f7f0580d701e583f670643d4f3fnilgun owner <code><em>root</em></code> and must have the setuserid

e1e8390280254f7f0580d701e583f670643d4f3fnilgun execution bit set for file modes.</p>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <h3>Setting paranoid permissions</h3>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>Although the suEXEC wrapper will check to ensure that its

e1e8390280254f7f0580d701e583f670643d4f3fnilgun caller is the correct user as specified with the

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>--with-suexec-caller</code> <code class="program"><a href="/programs/configure.html">configure</a></code>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun option, there is

e1e8390280254f7f0580d701e583f670643d4f3fnilgun always the possibility that a system or library call suEXEC uses

e1e8390280254f7f0580d701e583f670643d4f3fnilgun before this check may be exploitable on your system. To counter

e1e8390280254f7f0580d701e583f670643d4f3fnilgun this, and because it is best-practise in general, you should use

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen filesystem permissions to ensure that only the group httpd

e1e8390280254f7f0580d701e583f670643d4f3fnilgun runs as may execute suEXEC.</p>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>If for example, your web server is configured to run as:</p>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowen <pre class="prettyprint lang-config">

c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowenUser www

c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowenGroup webgroup

c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowen </pre>

c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowen

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>and <code class="program"><a href="/programs/suexec.html">suexec</a></code> is installed at

e1e8390280254f7f0580d701e583f670643d4f3fnilgun "/usr/local/apache2/bin/suexec", you should run:</p>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

e1e8390280254f7f0580d701e583f670643d4f3fnilgun <div class="example"><p><code>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun chgrp webgroup /usr/local/apache2/bin/suexec<br />

e1e8390280254f7f0580d701e583f670643d4f3fnilgun chmod 4750 /usr/local/apache2/bin/suexec<br />

e1e8390280254f7f0580d701e583f670643d4f3fnilgun </code></p></div>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <p>This will ensure that only the group httpd runs as can even

e1e8390280254f7f0580d701e583f670643d4f3fnilgun execute the suEXEC wrapper.</p>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="enable" id="enable">Enabling &amp; Disabling

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive suEXEC</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <p>Upon startup of httpd, it looks for the file

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim <code class="program"><a href="/programs/suexec.html">suexec</a></code> in the directory defined by the

5f48875017569cc7610b17d852c44e02684d9d5aerikabele <code>--sbindir</code> option (default is

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen "/usr/local/apache/sbin/suexec"). If httpd finds a properly

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configured suEXEC wrapper, it will print the following message

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to the error log:</p>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele

181e56d8b348d301d615ccf5465ae600fee2867berikabele<div class="example"><p><code>

9bcfc3697a91b5215893a7d0206865b13fc72148nd [notice] suEXEC mechanism enabled (wrapper: <var>/path/to/suexec</var>)

181e56d8b348d301d615ccf5465ae600fee2867berikabele</code></p></div>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you don't see this message at server startup, the server is

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen most likely not finding the wrapper program where it expects

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive it, or the executable is not installed <em>setuid root</em>.</p>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you want to enable the suEXEC mechanism for the first time

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen and an Apache HTTP Server is already running you must kill and

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen restart httpd. Restarting it with a simple HUP or USR1 signal

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive will not be enough. </p>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you want to disable suEXEC you should kill and restart

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen httpd after you have removed the <code class="program"><a href="/programs/suexec.html">suexec</a></code> file.</p>

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="usage" id="usage">Using suEXEC</a></h2>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive <p>Requests for CGI programs will call the suEXEC wrapper only if

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim they are for a virtual host containing a <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim they are processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code>.</p>

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim wrapper is through the <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim <code class="directive"><a href="/mod/core.html#virtualhost">VirtualHost</a></code> definitions. By

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive setting this directive to values different from the main server

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive user ID, all requests for CGI resources will be executed as the

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="/mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>. If this

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim directive is not specified for a <code class="directive"><a href="/mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> then the main server userid

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive is assumed.</p>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive <p><strong>User directories:</strong><br /> Requests that are

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive wrapper to execute CGI programs under the userid of the requested

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive user directory. The only requirement needed for this feature to

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive work is for CGI execution to be enabled for the user and that the

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive script must meet the scrutiny of the <a href="#model">security

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive checks</a> above. See also the

53feb1d7d644e42dcc617b35516598bb15e8bcc1slive <code>--with-suexec-userdir</code> <a href="#install">compile

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="debug" id="debug">Debugging suEXEC</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>The suEXEC wrapper will write log information

5f48875017569cc7610b17d852c44e02684d9d5aerikabele to the file defined with the <code>--with-suexec-logfile</code>

5f48875017569cc7610b17d852c44e02684d9d5aerikabele option as indicated above. If you feel you have configured and

5f48875017569cc7610b17d852c44e02684d9d5aerikabele installed the wrapper properly, have a look at this log and the

5f48875017569cc7610b17d852c44e02684d9d5aerikabele error_log for the server to see where you may have gone astray.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock:

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive Warnings &amp; Examples</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>NOTE!</strong> This section may not be

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen complete. For the latest revision of this section of the

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen documentation, see the <a href="http://httpd.apache.org/docs/trunk/suexec.html">Online

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Documentation</a> version.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>There are a few points of interest regarding

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the wrapper that can cause limitations on server setup. Please

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen review these before submitting any "bugs" regarding suEXEC.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <ul>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li><strong>suEXEC Points Of Interest</strong></li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun Hierarchy limitations

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

5f48875017569cc7610b17d852c44e02684d9d5aerikabele For security and efficiency reasons, all suEXEC requests

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen must remain within either a top-level document root for

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen virtual host requests, or one top-level personal document

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen root for userdir requests. For example, if you have four

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen VirtualHosts configured, you would need to structure all

7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen of your VHosts' document roots off of one main httpd

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen document hierarchy to take advantage of suEXEC for

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen VirtualHosts. (Example forthcoming.)

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun suEXEC's PATH environment variable

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This can be a dangerous thing to change. Make certain

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen every path you include in this define is a

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>trusted</strong> directory. You don't want to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen open people up to having someone from across the world

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen running a trojan horse on them.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

e1e8390280254f7f0580d701e583f670643d4f3fnilgun Altering the suEXEC code

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Again, this can cause <strong>Big Trouble</strong> if you

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen try this without knowing what you are doing. Stay away

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen from it if at all possible.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </ul>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div></div>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<div class="bottomlang">

7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<p><span>Available Languages: </span><a href="/en/suexec.html" title="English">&nbsp;en&nbsp;</a> |

af84459fbf938e508fd10b01cb8d699c79083813takashi<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a> |

7f5b59ccc63c0c0e3e678a168f09ee6a2f51f9d0nd<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |

e1e8390280254f7f0580d701e583f670643d4f3fnilgun<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |

f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e">&nbsp;tr&nbsp;</a></p>

30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>This section is experimental!</strong><br />Comments placed here should not be expected

19737f4fbef1805f9c3e9e045bb6d710a1e5e10fhumbedoohto last beyond the testing phase of this system, nor do we in any way guarantee that we'll read them.</div>

0d0ba3a410038e179b695446bb149cce6264e0abnd<script type="text/javascript"><!--//--><![CDATA[//><!--

30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh//--><!]]></script></div><div id="footer">

5effc8b39fae5cd169d17f342bfc265705840014rbowen<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>

d229f940abfb2490dee17979e9a5ff31b7012eb5rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--

7fec19672a491661b2fe4b29f685bc7f4efa64d4nd//--><!]]></script>

5a58787efeb02a1c3f06569d019ad81fd2efa06end</body></html>