suexec.html.en revision 19737f4fbef1805f9c3e9e045bb6d710a1e5e10f
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd This file is generated from xml source: DO NOT EDIT
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<script src="/style/scripts/prettify.js" type="text/javascript">
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<link href="/images/favicon.ico" rel="shortcut icon" /></head>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<p><span>Available Languages: </span><a href="/en/suexec.html" title="English"> en </a> |
1c8f2418892d98febb00a06b9a4f45f8bcfd80a3nd<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> |
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
bf7fcf0c216a914407c0877aa37894fd9aecc219nilgun<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p>
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem <p>The <strong>suEXEC</strong> feature provides users of the Apache
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd HTTP Server the ability
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd to run <strong>CGI</strong> and <strong>SSI</strong> programs
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd under user IDs different from the user ID of the calling
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd web server. Normally, when a CGI or SSI program executes, it
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd runs as the same user who is running the web server.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>Used properly, this feature can reduce
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd considerably the security risks involved with allowing users to
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd develop and run private CGI or SSI programs. However, if suEXEC
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd is improperly configured, it can cause any number of problems
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh and possibly create new holes in your computer's security. If
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd you aren't familiar with managing <em>setuid root</em> programs
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd and the security issues they present, we highly recommend that
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd you not consider using suEXEC.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#before">Before we begin</a></li>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<li><img alt="" src="/images/down.gif" /> <a href="#model">suEXEC Security Model</a></li>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<li><img alt="" src="/images/down.gif" /> <a href="#install">Configuring & Installing
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<li><img alt="" src="/images/down.gif" /> <a href="#enable">Enabling & Disabling
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<li><img alt="" src="/images/down.gif" /> <a href="#usage">Using suEXEC</a></li>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<li><img alt="" src="/images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<li><img alt="" src="/images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock:
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
5effc8b39fae5cd169d17f342bfc265705840014rbowen<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>Before jumping head-first into this document,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd you should be aware that certain assumptions are made about you and
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd the environment in which you will be using suexec.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>First, it is assumed that you are using a UNIX
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd derivative operating system that is capable of
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <strong>setuid</strong> and <strong>setgid</strong> operations.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd All command examples are given in this regard. Other platforms,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd if they are capable of supporting suEXEC, may differ in their
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd configuration.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>Second, it is assumed you are familiar with
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd some basic concepts of your computer's security and its
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd administration. This involves an understanding of
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <strong>setuid/setgid</strong> operations and the various
f5a398cc8880978754903f9ece8e4beb63a81cedrbowen effects they may have on your system and its level of
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd security.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>Third, it is assumed that you are using an
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <strong>unmodified</strong> version of suEXEC code. All code
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd for suEXEC has been carefully scrutinized and tested by the
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd developers as well as numerous beta testers. Every precaution
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd has been taken to ensure a simple yet solidly safe base of
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd code. Altering this code can cause unexpected problems and new
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd security risks. It is <strong>highly</strong> recommended you
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd not alter the suEXEC code unless you are well versed in the
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd particulars of security programming and are willing to share
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd your work with the Apache HTTP Server development team for consideration.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>Fourth, and last, it has been the decision of
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd the Apache HTTP Server development team to <strong>NOT</strong> make suEXEC part of
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd the default installation of Apache httpd. To this end, suEXEC
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd configuration requires of the administrator careful attention
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd to details. After due consideration has been given to the
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd various settings for suEXEC, the administrator may install
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd suEXEC through normal installation methods. The values for
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd these settings need to be carefully determined and specified by
ec878843fb39a84bac1e1c2e1a2b821b1b7882fend the administrator to properly maintain system security during
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd the use of suEXEC functionality. It is through this detailed
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd process that we hope to limit suEXEC
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd installation only to those who are careful and determined
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd enough to use it.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd<h2><a name="model" id="model">suEXEC Security Model</a></h2>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>Before we begin configuring and installing
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd suEXEC, we will first discuss the security model you are about
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd to implement. By doing so, you may better understand what
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd exactly is going on inside suEXEC and what precautions are
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd taken to ensure your system's security.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd "wrapper" program that is called by the main Apache HTTP Server.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd This wrapper is called when an HTTP request is made for a CGI
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd or SSI program that the administrator has designated to run as
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd a userid other than that of the main server. When such a
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd request is made, Apache httpd provides the suEXEC wrapper with the
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd program's name and the user and group IDs under which the
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd program is to execute.</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <p>The wrapper then employs the following process
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd to determine success or failure -- if any one of these
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd conditions fail, the program logs the failure and exits with an
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd error, otherwise it will continue:</p>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd <strong>Is the user executing this wrapper a valid user of
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd this system?</strong>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd This is to ensure that the user executing the wrapper is
bf7fcf0c216a914407c0877aa37894fd9aecc219nilgun truly a user of the system.
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh <strong>Was the wrapper called with the proper number of
0d0ba3a410038e179b695446bb149cce6264e0abnd arguments?</strong>
0d0ba3a410038e179b695446bb149cce6264e0abnd The wrapper will only execute if it is given the proper
0d0ba3a410038e179b695446bb149cce6264e0abnd number of arguments. The proper argument format is known
0d0ba3a410038e179b695446bb149cce6264e0abnd to the Apache HTTP Server. If the wrapper is not receiving
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh the proper number of arguments, it is either being
0d0ba3a410038e179b695446bb149cce6264e0abnd hacked, or there is something wrong with the suEXEC
0d0ba3a410038e179b695446bb149cce6264e0abnd portion of your Apache httpd binary.
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <strong>Is this valid user allowed to run the
1a1356f375e36db7bee379ea0684ab389579f798rbowen wrapper?</strong>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd Is this user the user allowed to run this wrapper? Only
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd one user (the Apache user) is allowed to execute this
the request is for a <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory
with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this
value. suEXEC will not work properly in cases where the <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> directive points to
If you have virtual hosts with a different <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> for each,
the only hierarchy (aside from <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The
<code>--with-suexec-caller</code> <code class="program"><a href="/programs/configure.html">configure</a></code>
<code class="program"><a href="/programs/suexec.html">suexec</a></code> in the directory defined by the
httpd after you have removed the <code class="program"><a href="/programs/suexec.html">suexec</a></code> file.</p>
they are for a virtual host containing a <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if
they are processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code>.</p>
wrapper is through the <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in
<em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code>. If this
directive is not specified for a <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code> then the main server userid
processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC
time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>This section is experimental!</strong><br />Comments placed here should not be expected
to last beyond the testing phase of this system, nor do we in any way guarantee that we'll read them.</div>
var disqus_identifier = window.location.href.replace(/(current|trunk)/, "2.4").replace(/\/[a-z]{2}\//, "/").replace(window.location.protocol, "http:") + '.' + lang;
if (disqus_identifier.indexOf("httpd.apache.org") == -1) {
document.write('<div id="disqus_thread">\n</div>');
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = window.location.protocol + '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
document.write("Comments have been disabled for offline viewing.");
<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--