181e56d8b348d301d615ccf5465ae600fee2867berikabele<?xml version="1.0" encoding="ISO-8859-1"?>

181e56d8b348d301d615ccf5465ae600fee2867berikabele<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

181e56d8b348d301d615ccf5465ae600fee2867berikabele<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--

5a58787efeb02a1c3f06569d019ad81fd2efa06end<title>suEXEC Support - Apache HTTP Server</title>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />

5a58787efeb02a1c3f06569d019ad81fd2efa06end<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />

5a58787efeb02a1c3f06569d019ad81fd2efa06end<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />

5a58787efeb02a1c3f06569d019ad81fd2efa06end<link href="/images/favicon.ico" rel="shortcut icon" /></head>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<body id="manual-page"><div id="page-header">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<p class="apache">Apache HTTP Server Version 2.1</p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<img alt="" src="/images/feather.gif" /></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div id="path">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs-project/">Documentation</a> &gt; <a href="./">Version 2.1</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<div class="toplang">

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<p><span>Available Languages: </span><a href="/en/suexec.html">&nbsp;en&nbsp;</a> | <a href="/ja/suexec.html">&nbsp;ja&nbsp;</a></p>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd</div>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>The <strong>suEXEC</strong> feature provides

a30b4d95058922cb01453fb07c5ac66d6544571eslive Apache users the ability

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to run <strong>CGI</strong> and <strong>SSI</strong> programs

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen under user IDs different from the user ID of the calling

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen web-server. Normally, when a CGI or SSI program executes, it

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen runs as the same user who is running the web server.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Used properly, this feature can reduce

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen considerably the security risks involved with allowing users to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen develop and run private CGI or SSI programs. However, if suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen is improperly configured, it can cause any number of problems

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen and possibly create new holes in your computer's security. If

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen you aren't familiar with managing setuid root programs and the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen security issues they present, we highly recommend that you not

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen consider using suEXEC.</p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end </div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#before">Before we begin</a></li>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#model">suEXEC Security Model</a></li>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#install">Configuring &amp; Installing

5a58787efeb02a1c3f06569d019ad81fd2efa06end suEXEC</a></li>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#enable">Enabling &amp; Disabling

5a58787efeb02a1c3f06569d019ad81fd2efa06end suEXEC</a></li>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#usage">Using suEXEC</a></li>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock:

5a58787efeb02a1c3f06569d019ad81fd2efa06end Warnings &amp; Examples</a></li>

5a58787efeb02a1c3f06569d019ad81fd2efa06end</ul></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="before" id="before">Before we begin</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Before jumping head-first into this document,

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen you should be aware of the assumptions made on the part of the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Apache Group and this document.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>First, it is assumed that you are using a UNIX

e884f58207082fa2136d5fc86635c31252338948erikabele derivative operating system that is capable of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>setuid</strong> and <strong>setgid</strong> operations.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen All command examples are given in this regard. Other platforms,

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen if they are capable of supporting suEXEC, may differ in their

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Second, it is assumed you are familiar with

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen some basic concepts of your computer's security and its

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen administration. This involves an understanding of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>setuid/setgid</strong> operations and the various

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen effects they may have on your system and its level of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen security.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Third, it is assumed that you are using an

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>unmodified</strong> version of suEXEC code. All code

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for suEXEC has been carefully scrutinized and tested by the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen developers as well as numerous beta testers. Every precaution

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen has been taken to ensure a simple yet solidly safe base of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen code. Altering this code can cause unexpected problems and new

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen security risks. It is <strong>highly</strong> recommended you

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen not alter the suEXEC code unless you are well versed in the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen particulars of security programming and are willing to share

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen your work with the Apache Group for consideration.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Fourth, and last, it has been the decision of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the Apache Group to <strong>NOT</strong> make suEXEC part of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the default installation of Apache. To this end, suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration requires of the administrator careful attention

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to details. After due consideration has been given to the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen various settings for suEXEC, the administrator may install

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC through normal installation methods. The values for

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen these settings need to be carefully determined and specified by

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the administrator to properly maintain system security during

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the use of suEXEC functionality. It is through this detailed

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen process that the Apache Group hopes to limit suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen installation only to those who are careful and determined

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen enough to use it.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Still with us? Yes? Good. Let's move on!</p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="model" id="model">suEXEC Security Model</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Before we begin configuring and installing

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC, we will first discuss the security model you are about

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to implement. By doing so, you may better understand what

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen exactly is going on inside suEXEC and what precautions are

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen taken to ensure your system's security.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>suEXEC</strong> is based on a setuid

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen "wrapper" program that is called by the main Apache web server.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This wrapper is called when an HTTP request is made for a CGI

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen or SSI program that the administrator has designated to run as

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen a userid other than that of the main server. When such a

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen request is made, Apache provides the suEXEC wrapper with the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program's name and the user and group IDs under which the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program is to execute.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>The wrapper then employs the following process

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to determine success or failure -- if any one of these

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen conditions fail, the program logs the failure and exits with an

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen error, otherwise it will continue:</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <ol>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Was the wrapper called with the proper number of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen arguments?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The wrapper will only execute if it is given the proper

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen number of arguments. The proper argument format is known

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to the Apache web server. If the wrapper is not receiving

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the proper number of arguments, it is either being

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen hacked, or there is something wrong with the suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen portion of your Apache binary.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the user executing this wrapper a valid user of

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen this system?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This is to ensure that the user executing the wrapper is

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen truly a user of the system.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is this valid user allowed to run the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen wrapper?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Is this user the user allowed to run this wrapper? Only

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen one user (the Apache user) is allowed to execute this

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Does the target program have an unsafe hierarchical

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen reference?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Does the target program contain a leading '/' or have a

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen '..' backreference? These are not allowed; the target

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program must reside within the Apache webspace.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target user name valid?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Does the target user exist?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target group name valid?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Does the target group exist?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target user <em>NOT</em> superuser?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Presently, suEXEC does not allow 'root' to execute

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen CGI/SSI programs.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target userid <em>ABOVE</em> the minimum ID

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen number?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The minimum user ID number is specified during

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration. This allows you to set the lowest possible

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen userid that will be allowed to execute CGI/SSI programs.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This is useful to block out "system" accounts.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target group <em>NOT</em> the superuser

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen group?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Presently, suEXEC does not allow the 'root' group to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen execute CGI/SSI programs.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target groupid <em>ABOVE</em> the minimum ID

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen number?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The minimum group ID number is specified during

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration. This allows you to set the lowest possible

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen groupid that will be allowed to execute CGI/SSI programs.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This is useful to block out "system" groups.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Can the wrapper successfully become the target user

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen and group?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Here is where the program becomes the target user and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen group via setuid and setgid calls. The group access list

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen is also initialized with all of the groups of which the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen user is a member.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Does the directory in which the program resides

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen exist?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If it doesn't exist, it can't very well contain files.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the directory within the Apache

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen webspace?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If the request is for a regular portion of the server, is

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the requested directory within the server's document

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen root? If the request is for a UserDir, is the requested

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen directory within the user's document root?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the directory <em>NOT</em> writable by anyone

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen else?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We don't want to open up the directory to others; only

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the owner user may be able to alter this directories

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen contents.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Does the target program exist?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If it doesn't exists, it can't very well be executed.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target program <em>NOT</em> writable by

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen anyone else?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We don't want to give anyone other than the owner the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen ability to change the program.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target program <em>NOT</em> setuid or

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen setgid?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We do not want to execute programs that will then change

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen our UID/GID again.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target user/group the same as the program's

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen user/group?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Is the user the owner of the file?

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Can we successfully clean the process environment

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to ensure safe operations?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC cleans the process' environment by establishing a

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen safe execution PATH (defined during configuration), as

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen well as only passing through those variables whose names

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen are listed in the safe environment list (also created

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen during configuration).

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Can we successfully become the target program and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen execute?</strong>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Here is where suEXEC ends and the target program begins.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </ol>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

e884f58207082fa2136d5fc86635c31252338948erikabele <p>This is the standard operation of the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC wrapper's security model. It is somewhat stringent and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen can impose new limitations and guidelines for CGI/SSI design,

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen but it was developed carefully step-by-step with security in

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen mind.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>For more information as to how this security

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen model can limit your possibilities in regards to server

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration, as well as what security risks can be avoided

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen document.</p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="install" id="install">Configuring &amp; Installing

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive suEXEC</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Here's where we begin the fun.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>suEXEC configuration

181e56d8b348d301d615ccf5465ae600fee2867berikabele options</strong><br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dl>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dt><code>--enable-suexec</code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>This option enables the suEXEC feature which is never

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen installed or activated by default. At least one

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen --with-suexec-xxxxx option has to be provided together with the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen --enable-suexec option to let APACI accept your request for

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen using the suEXEC feature.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron <dd>The path to the suexec binary must be hard-coded in

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron the server for security reasons. Use this option to override

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron the default path. <em>e.g.</em>

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron <code>--with-suexec-bin=/usr/sbin/suexec</code></dd>

687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-caller=<em>UID</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

d0dd037bdab65b455b4056d58be501ca14e61dfemartin <dd>The <a href="mod/mpm_common.html#user">username</a> under which

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Apache normally runs. This is the only user allowed to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen execute this program.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define to be the subdirectory under users' home

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen directories where suEXEC access should be allowed. All

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen executables under this directory will be executable by suEXEC

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen as the user so they should be "safe" programs. If you are

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen using a "simple" UserDir directive (ie. one without a "*" in

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen it) this should be set to the same value. suEXEC will not

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen work properly in cases where the UserDir directive points to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen a location that is not the same as the user's home directory

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen as referenced in the passwd file. Default value is

181e56d8b348d301d615ccf5465ae600fee2867berikabele "public_html".<br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If you have virtual hosts with a different UserDir for each,

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen you will need to define them to all reside in one parent

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen directory; then name that parent directory here. <strong>If

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen this is not defined properly, "~userdir" cgi requests will

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen not work!</strong></dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dd>Define as the DocumentRoot set for Apache. This will be

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron the only hierarchy (aside from UserDirs) that can be used for

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron suEXEC behavior. The default directory is the --datadir value

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron with the suffix "/htdocs", <em>e.g.</em> if you configure

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron with "<code>--datadir=/home/apache</code>" the directory

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron "/home/apache/htdocs" is used as document root for the suEXEC

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron wrapper.</dd>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define this as the lowest UID allowed to be a target user

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for suEXEC. For most systems, 500 or 100 is common. Default

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen value is 100.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define this as the lowest GID allowed to be a target

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen group for suEXEC. For most systems, 100 is common and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen therefore used as default value.</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dd>This defines the filename to which all suEXEC

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron transactions and errors are logged (useful for auditing and

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron debugging purposes). By default the logfile is named

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron "suexec_log" and located in your standard logfile directory

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron (--logfiledir).</dd>

ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define a safe PATH environment to pass to CGI

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen executables. Default value is

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen "/usr/local/bin:/usr/bin:/bin".</dd>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </dl>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>Checking your suEXEC

181e56d8b348d301d615ccf5465ae600fee2867berikabele setup</strong><br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Before you compile and install the suEXEC wrapper you can

181e56d8b348d301d615ccf5465ae600fee2867berikabele check the configuration with the --layout option.<br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Example output:</p>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

181e56d8b348d301d615ccf5465ae600fee2867berikabele<div class="example"><p><code>

181e56d8b348d301d615ccf5465ae600fee2867berikabele suEXEC setup:<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele suexec binary: /usr/local/apache/sbin/suexec<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele document root: /usr/local/apache/share/htdocs<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele userdir suffix: public_html<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele logfile: /usr/local/apache/var/log/suexec_log<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele safe path: /usr/local/bin:/usr/bin:/bin<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele caller ID: www<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele minimum user ID: 100<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele minimum group ID: 100<br />

181e56d8b348d301d615ccf5465ae600fee2867berikabele</code></p></div>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>Compiling and installing the suEXEC

181e56d8b348d301d615ccf5465ae600fee2867berikabele wrapper</strong><br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If you have enabled the suEXEC feature with the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen --enable-suexec option the suexec binary (together with Apache

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen itself) is automatically built if you execute the command

181e56d8b348d301d615ccf5465ae600fee2867berikabele "make".<br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen After all components have been built you can execute the

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen command "make install" to install them. The binary image

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen "suexec" is installed in the directory defined by the --sbindir

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen option. Default location is

181e56d8b348d301d615ccf5465ae600fee2867berikabele "/usr/local/apache/sbin/suexec".<br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Please note that you need <strong><em>root

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen privileges</em></strong> for the installation step. In order

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for the wrapper to set the user ID, it must be installed as

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen owner <code><em>root</em></code> and must have the setuserid

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen execution bit set for file modes.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="enable" id="enable">Enabling &amp; Disabling

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive suEXEC</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Upon startup of Apache, it looks for the file

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen "suexec" in the "sbin" directory (default is

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen "/usr/local/apache/sbin/suexec"). If Apache finds a properly

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configured suEXEC wrapper, it will print the following message

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to the error log:</p>

181e56d8b348d301d615ccf5465ae600fee2867berikabele<div class="example"><p><code>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen [notice] suEXEC mechanism enabled (wrapper: <em>/path/to/suexec</em>)

181e56d8b348d301d615ccf5465ae600fee2867berikabele</code></p></div>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you don't see this message at server startup, the server is

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen most likely not finding the wrapper program where it expects

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive it, or the executable is not installed <em>setuid root</em>.</p>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you want to enable the suEXEC mechanism for the first time

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen and an Apache server is already running you must kill and

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen restart Apache. Restarting it with a simple HUP or USR1 signal

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive will not be enough. </p>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you want to disable suEXEC you should kill and restart

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive Apache after you have removed the "suexec" file. </p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="usage" id="usage">Using suEXEC</a></h2>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC

181e56d8b348d301d615ccf5465ae600fee2867berikabele wrapper is through the <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in

181e56d8b348d301d615ccf5465ae600fee2867berikabele <code class="directive"><a href="/mod/core.html#virtualhost">VirtualHost</a></code> definitions. By

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive setting this directive to values different from the main server

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive user ID, all requests for CGI resources will be executed as the

181e56d8b348d301d615ccf5465ae600fee2867berikabele <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="/mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>. If this

181e56d8b348d301d615ccf5465ae600fee2867berikabele directive is not specified for a <code class="directive"><a href="/mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> then the main server userid

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive is assumed.</p>

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p><strong>User directories:</strong><br />

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The suEXEC wrapper can also be used to execute CGI programs as

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the user to which the request is being directed. This is

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen accomplished by using the "<strong><code>~</code></strong>"

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen character prefixing the user ID for whom execution is desired.

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The only requirement needed for this feature to work is for CGI

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen execution to be enabled for the user and that the script must

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen meet the scrutiny of the <a href="#model">security checks</a>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen above.</p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="debug" id="debug">Debugging suEXEC</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>The suEXEC wrapper will write log information

5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen to the file defined with the --with-suexec-logfile option as

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen indicated above. If you feel you have configured and installed

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the wrapper properly, have a look at this log and the error_log

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for the server to see where you may have gone astray.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock:

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive Warnings &amp; Examples</a></h2>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>NOTE!</strong> This section may not be

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen complete. For the latest revision of this section of the

4e191199a0aeab09d78df8f5579e745572e8b7bcwsanchez documentation, see the Apache Group's <a href="http://httpd.apache.org/docs-2.1/suexec.html">Online

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Documentation</a> version.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>There are a few points of interest regarding

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the wrapper that can cause limitations on server setup. Please

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen review these before submitting any "bugs" regarding suEXEC.</p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <ul>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li><strong>suEXEC Points Of Interest</strong></li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Hierarchy limitations

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen For security and efficiency reasons, all suexec requests

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen must remain within either a top-level document root for

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen virtual host requests, or one top-level personal document

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen root for userdir requests. For example, if you have four

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen VirtualHosts configured, you would need to structure all

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen of your VHosts' document roots off of one main Apache

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen document hierarchy to take advantage of suEXEC for

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen VirtualHosts. (Example forthcoming.)

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC's PATH environment variable

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This can be a dangerous thing to change. Make certain

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen every path you include in this define is a

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>trusted</strong> directory. You don't want to

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen open people up to having someone from across the world

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen running a trojan horse on them.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Altering the suEXEC code

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Again, this can cause <strong>Big Trouble</strong> if you

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen try this without knowing what you are doing. Stay away

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen from it if at all possible.

181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </ul>

57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen

5a58787efeb02a1c3f06569d019ad81fd2efa06end</div></div>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<div class="bottomlang">

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<p><span>Available Languages: </span><a href="/en/suexec.html">&nbsp;en&nbsp;</a> | <a href="/ja/suexec.html">&nbsp;ja&nbsp;</a></p>

3b3b7fc78d1f5bfc2769903375050048ff41ff26nd</div><div id="footer">

5a58787efeb02a1c3f06569d019ad81fd2efa06end<p class="apache">Maintained by the <a href="http://httpd.apache.org/docs-project/">Apache HTTP Server Documentation Project</a></p>

5a58787efeb02a1c3f06569d019ad81fd2efa06end<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div>

5a58787efeb02a1c3f06569d019ad81fd2efa06end</body></html>