suexec.html.en revision 4aa603e6448b99f9371397d439795c91a93637ea
181e56d8b348d301d615ccf5465ae600fee2867berikabele<?xml version="1.0" encoding="ISO-8859-1"?>
181e56d8b348d301d615ccf5465ae600fee2867berikabele<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
181e56d8b348d301d615ccf5465ae600fee2867berikabele<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive This file is generated from xml source: DO NOT EDIT
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5a58787efeb02a1c3f06569d019ad81fd2efa06end -->
5a58787efeb02a1c3f06569d019ad81fd2efa06end<title>suEXEC Support - Apache HTTP Server</title>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
2e545ce2450a9953665f701bb05350f0d3f26275nd<script src="/style/scripts/prettify.min.js" type="text/javascript">
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen</script>
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<link href="/images/favicon.ico" rel="shortcut icon" /></head>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<body id="manual-page"><div id="page-header">
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<p class="apache">Apache HTTP Server Version 2.5</p>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<img alt="" src="/images/feather.gif" /></div>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div id="path">
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<div class="toplang">
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<p><span>Available Languages: </span><a href="/en/suexec.html" title="English">&nbsp;en&nbsp;</a> |
af84459fbf938e508fd10b01cb8d699c79083813takashi<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a> |
7f5b59ccc63c0c0e3e678a168f09ee6a2f51f9d0nd<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
e1e8390280254f7f0580d701e583f670643d4f3fnilgun<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e">&nbsp;tr&nbsp;</a></p>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd</div>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <p>The <strong>suEXEC</strong> feature provides users of the Apache
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen HTTP Server the ability
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to run <strong>CGI</strong> and <strong>SSI</strong> programs
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen under user IDs different from the user ID of the calling
ce71a46e27f6e2ae210e1f925545aa6e4f74db74jsl web server. Normally, when a CGI or SSI program executes, it
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen runs as the same user who is running the web server.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Used properly, this feature can reduce
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen considerably the security risks involved with allowing users to
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen develop and run private CGI or SSI programs. However, if suEXEC
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen is improperly configured, it can cause any number of problems
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen and possibly create new holes in your computer's security. If
5f48875017569cc7610b17d852c44e02684d9d5aerikabele you aren't familiar with managing <em>setuid root</em> programs
5f48875017569cc7610b17d852c44e02684d9d5aerikabele and the security issues they present, we highly recommend that
5f48875017569cc7610b17d852c44e02684d9d5aerikabele you not consider using suEXEC.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#before">Before we begin</a></li>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#model">suEXEC Security Model</a></li>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#install">Configuring &amp; Installing
5a58787efeb02a1c3f06569d019ad81fd2efa06end suEXEC</a></li>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#enable">Enabling &amp; Disabling
5a58787efeb02a1c3f06569d019ad81fd2efa06end suEXEC</a></li>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#usage">Using suEXEC</a></li>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<li><img alt="" src="/images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock:
5a58787efeb02a1c3f06569d019ad81fd2efa06end Warnings &amp; Examples</a></li>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="before" id="before">Before we begin</a></h2>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Before jumping head-first into this document,
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen you should be aware that certain assumptions are made about you and
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen the environment in which you will be using suexec.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>First, it is assumed that you are using a UNIX
e884f58207082fa2136d5fc86635c31252338948erikabele derivative operating system that is capable of
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>setuid</strong> and <strong>setgid</strong> operations.
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen All command examples are given in this regard. Other platforms,
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen if they are capable of supporting suEXEC, may differ in their
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Second, it is assumed you are familiar with
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen some basic concepts of your computer's security and its
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen administration. This involves an understanding of
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>setuid/setgid</strong> operations and the various
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen effects they may have on your system and its level of
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen security.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Third, it is assumed that you are using an
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>unmodified</strong> version of suEXEC code. All code
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for suEXEC has been carefully scrutinized and tested by the
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen developers as well as numerous beta testers. Every precaution
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen has been taken to ensure a simple yet solidly safe base of
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen code. Altering this code can cause unexpected problems and new
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen security risks. It is <strong>highly</strong> recommended you
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen not alter the suEXEC code unless you are well versed in the
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen particulars of security programming and are willing to share
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen your work with the Apache HTTP Server development team for consideration.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Fourth, and last, it has been the decision of
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen the Apache HTTP Server development team to <strong>NOT</strong> make suEXEC part of
9045c2ce2212b7e911e8a27a4ae6aa9ca73f3d91rbowen the default installation of Apache httpd. To this end, suEXEC
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration requires of the administrator careful attention
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to details. After due consideration has been given to the
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen various settings for suEXEC, the administrator may install
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC through normal installation methods. The values for
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen these settings need to be carefully determined and specified by
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the administrator to properly maintain system security during
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the use of suEXEC functionality. It is through this detailed
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen process that we hope to limit suEXEC
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen installation only to those who are careful and determined
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen enough to use it.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Still with us? Yes? Good. Let's move on!</p>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="model" id="model">suEXEC Security Model</a></h2>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Before we begin configuring and installing
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC, we will first discuss the security model you are about
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to implement. By doing so, you may better understand what
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen exactly is going on inside suEXEC and what precautions are
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen taken to ensure your system's security.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>suEXEC</strong> is based on a setuid
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen "wrapper" program that is called by the main Apache HTTP Server.
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This wrapper is called when an HTTP request is made for a CGI
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen or SSI program that the administrator has designated to run as
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen a userid other than that of the main server. When such a
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen request is made, Apache httpd provides the suEXEC wrapper with the
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program's name and the user and group IDs under which the
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program is to execute.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>The wrapper then employs the following process
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to determine success or failure -- if any one of these
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen conditions fail, the program logs the failure and exits with an
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen error, otherwise it will continue:</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <ol>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele <strong>Is the user executing this wrapper a valid user of
e1e8390280254f7f0580d701e583f670643d4f3fnilgun this system?</strong>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele
5f48875017569cc7610b17d852c44e02684d9d5aerikabele <p class="indent">
5f48875017569cc7610b17d852c44e02684d9d5aerikabele This is to ensure that the user executing the wrapper is
5f48875017569cc7610b17d852c44e02684d9d5aerikabele truly a user of the system.
5f48875017569cc7610b17d852c44e02684d9d5aerikabele </p>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele </li>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele
5f48875017569cc7610b17d852c44e02684d9d5aerikabele <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Was the wrapper called with the proper number of
e1e8390280254f7f0580d701e583f670643d4f3fnilgun arguments?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The wrapper will only execute if it is given the proper
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen number of arguments. The proper argument format is known
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen to the Apache HTTP Server. If the wrapper is not receiving
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the proper number of arguments, it is either being
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen hacked, or there is something wrong with the suEXEC
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen portion of your Apache httpd binary.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is this valid user allowed to run the
e1e8390280254f7f0580d701e583f670643d4f3fnilgun wrapper?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Is this user the user allowed to run this wrapper? Only
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen one user (the Apache user) is allowed to execute this
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen program.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Does the target CGI or SSI program have an unsafe
e1e8390280254f7f0580d701e583f670643d4f3fnilgun hierarchical reference?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele Does the target CGI or SSI program's path contain a leading
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele '/' or have a '..' backreference? These are not allowed; the
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele target CGI/SSI program must reside within suEXEC's document
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele root (see <code>--with-suexec-docroot=<em>DIR</em></code>
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele below).
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <strong>Is the target user name valid?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Does the target user exist?
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <strong>Is the target group name valid?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Does the target group exist?
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target user <em>NOT</em> superuser?</strong>
aaf7b7f4cc1be050310c3d7f48bce0ec67e174e4nd
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
ec5fd46fd2a4a263bb5cdf419e8d4106007a2ac8gryzor suEXEC does not allow <code><em>root</em></code>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele to execute CGI/SSI programs.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target userid <em>ABOVE</em> the minimum ID
e1e8390280254f7f0580d701e583f670643d4f3fnilgun number?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The minimum user ID number is specified during
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration. This allows you to set the lowest possible
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen userid that will be allowed to execute CGI/SSI programs.
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This is useful to block out "system" accounts.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target group <em>NOT</em> the superuser
e1e8390280254f7f0580d701e583f670643d4f3fnilgun group?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
5f48875017569cc7610b17d852c44e02684d9d5aerikabele Presently, suEXEC does not allow the <code><em>root</em></code>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele group to execute CGI/SSI programs.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target groupid <em>ABOVE</em> the minimum ID
e1e8390280254f7f0580d701e583f670643d4f3fnilgun number?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen The minimum group ID number is specified during
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration. This allows you to set the lowest possible
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen groupid that will be allowed to execute CGI/SSI programs.
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This is useful to block out "system" groups.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Can the wrapper successfully become the target user
e1e8390280254f7f0580d701e583f670643d4f3fnilgun and group?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Here is where the program becomes the target user and
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen group via setuid and setgid calls. The group access list
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen is also initialized with all of the groups of which the
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen user is a member.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele <strong>Can we change directory to the one in which the target
5f48875017569cc7610b17d852c44e02684d9d5aerikabele CGI/SSI program resides?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
5f48875017569cc7610b17d852c44e02684d9d5aerikabele If it doesn't exist, it can't very well contain files. If we
157312a2bcbad225c12462fc6d74b1aa3f32dceehumbedooh can't change directory to it, it might as well not exist.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <strong>Is the directory within the httpd webspace?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If the request is for a regular portion of the server, is
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele the requested directory within suEXEC's document root? If
e1e8390280254f7f0580d701e583f670643d4f3fnilgun the request is for a <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele within the directory configured as suEXEC's userdir (see
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <a href="#install">suEXEC's configuration options</a>)?
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the directory <em>NOT</em> writable by anyone
e1e8390280254f7f0580d701e583f670643d4f3fnilgun else?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We don't want to open up the directory to others; only
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the owner user may be able to alter this directories
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen contents.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <strong>Does the target CGI/SSI program exist?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen If it doesn't exists, it can't very well be executed.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Is the target CGI/SSI program <em>NOT</em> writable
e1e8390280254f7f0580d701e583f670643d4f3fnilgun by anyone else?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We don't want to give anyone other than the owner the
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele ability to change the CGI/SSI program.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Is the target CGI/SSI program <em>NOT</em> setuid or
e1e8390280254f7f0580d701e583f670643d4f3fnilgun setgid?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen We do not want to execute programs that will then change
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen our UID/GID again.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Is the target user/group the same as the program's
e1e8390280254f7f0580d701e583f670643d4f3fnilgun user/group?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Is the user the owner of the file?
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>Can we successfully clean the process environment
e1e8390280254f7f0580d701e583f670643d4f3fnilgun to ensure safe operations?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC cleans the process' environment by establishing a
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen safe execution PATH (defined during configuration), as
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen well as only passing through those variables whose names
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen are listed in the safe environment list (also created
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen during configuration).
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele <strong>Can we successfully become the target CGI/SSI program
e1e8390280254f7f0580d701e583f670643d4f3fnilgun and execute?</strong>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele Here is where suEXEC ends and the target CGI/SSI program begins.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </ol>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
e884f58207082fa2136d5fc86635c31252338948erikabele <p>This is the standard operation of the
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen suEXEC wrapper's security model. It is somewhat stringent and
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen can impose new limitations and guidelines for CGI/SSI design,
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen but it was developed carefully step-by-step with security in
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen mind.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>For more information as to how this security
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen model can limit your possibilities in regards to server
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configuration, as well as what security risks can be avoided
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen document.</p>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="install" id="install">Configuring &amp; Installing
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive suEXEC</a></h2>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>Here's where we begin the fun.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>suEXEC configuration
181e56d8b348d301d615ccf5465ae600fee2867berikabele options</strong><br />
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dl>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dt><code>--enable-suexec</code></dt>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>This option enables the suEXEC feature which is never
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen installed or activated by default. At least one
5f48875017569cc7610b17d852c44e02684d9d5aerikabele <code>--with-suexec-xxxxx</code> option has to be provided
5f48875017569cc7610b17d852c44e02684d9d5aerikabele together with the <code>--enable-suexec</code> option to let
5f48875017569cc7610b17d852c44e02684d9d5aerikabele APACI accept your request for using the suEXEC feature.</dd>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <dt><code>--enable-suexec-capabilities</code></dt>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <dd><strong>Linux specific:</strong> Normally,
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton the <code>suexec</code> binary is installed "setuid/setgid
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton root", which allows it to run with the full privileges of the
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton root user. If this option is used, the <code>suexec</code>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton binary will instead be installed with only the setuid/setgid
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton "capability" bits set, which is the subset of full root
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton priviliges required for suexec operation. Note that
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton the <code>suexec</code> binary may not be able to write to a log
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton file in this mode; it is recommended that the
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <code>--with-suexec-syslog --without-suexec-logfile</code>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton options are used in conjunction with this mode, so that syslog
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton logging is used instead.</dd>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton
687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron
5f48875017569cc7610b17d852c44e02684d9d5aerikabele <dd>The path to the <code>suexec</code> binary must be hard-coded
5f48875017569cc7610b17d852c44e02684d9d5aerikabele in the server for security reasons. Use this option to override
687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron the default path. <em>e.g.</em>
687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron <code>--with-suexec-bin=/usr/sbin/suexec</code></dd>
687ebbe3d0eaa7361f6cb85f56a389cbbc2e5056aaron
5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-caller=<em>UID</em></code></dt>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
d0dd037bdab65b455b4056d58be501ca14e61dfemartin <dd>The <a href="mod/mpm_common.html#user">username</a> under which
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen httpd normally runs. This is the only user allowed to
f6066dc0a6ad0432b74774e290c04c3cc4aa2dafrbowen execute the suEXEC wrapper.</dd>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define to be the subdirectory under users' home
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen directories where suEXEC access should be allowed. All
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen executables under this directory will be executable by suEXEC
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen as the user so they should be "safe" programs. If you are
e1e8390280254f7f0580d701e583f670643d4f3fnilgun using a "simple" <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun directive (ie. one without a "*" in it) this should be set to the same
e1e8390280254f7f0580d701e583f670643d4f3fnilgun value. suEXEC will not work properly in cases where the <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> directive points to
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen a location that is not the same as the user's home directory
e1e8390280254f7f0580d701e583f670643d4f3fnilgun as referenced in the <code>passwd</code> file. Default value is
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>public_html</code>".<br />
e1e8390280254f7f0580d701e583f670643d4f3fnilgun If you have virtual hosts with a different <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> for each,
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen you will need to define them to all reside in one parent
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen directory; then name that parent directory here. <strong>If
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen this is not defined properly, "~userdir" cgi requests will
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen not work!</strong></dd>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <dd>Define as the DocumentRoot set for httpd. This will be
e1e8390280254f7f0580d701e583f670643d4f3fnilgun the only hierarchy (aside from <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The
e1e8390280254f7f0580d701e583f670643d4f3fnilgun default directory is the <code>--datadir</code> value with the suffix
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>/htdocs</code>", <em>e.g.</em> if you configure with
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>--datadir=/home/apache</code>" the directory
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>/home/apache/htdocs</code>" is used as document root for the
e1e8390280254f7f0580d701e583f670643d4f3fnilgun suEXEC wrapper.</dd>
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron
5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define this as the lowest UID allowed to be a target user
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen for suEXEC. For most systems, 500 or 100 is common. Default
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen value is 100.</dd>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define this as the lowest GID allowed to be a target
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen group for suEXEC. For most systems, 100 is common and
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen therefore used as default value.</dd>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt>
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron <dd>This defines the filename to which all suEXEC
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron transactions and errors are logged (useful for auditing and
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron debugging purposes). By default the logfile is named
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>suexec_log</code>" and located in your standard logfile
e1e8390280254f7f0580d701e583f670643d4f3fnilgun directory (<code>--logfiledir</code>).</dd>
ee8d84bbd543e3e808e81e4e802d960548ce30d1aaron
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton <dt><code>--with-suexec-syslog</code></dt>
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton <dd>If defined, suexec will log notices and errors to syslog
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton instead of a logfile. This option must be combined
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton with <code>--without-suexec-logfile</code>.</dd>
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton
5bb304d44f4a7046289c9c7dbeef63843bff9613rbowen <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <dd>Define a safe PATH environment to pass to CGI
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen executables. Default value is
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </dl>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <h3>Compiling and installing the suEXEC wrapper</h3>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>If you have enabled the suEXEC feature with the
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>--enable-suexec</code> option the <code>suexec</code> binary
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen (together with httpd itself) is automatically built if you execute
e1e8390280254f7f0580d701e583f670643d4f3fnilgun the <code>make</code> command.</p>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>After all components have been built you can execute the
e1e8390280254f7f0580d701e583f670643d4f3fnilgun command <code>make install</code> to install them. The binary image
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>suexec</code> is installed in the directory defined by the
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>--sbindir</code> option. The default location is
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "/usr/local/apache2/bin/suexec".</p>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>Please note that you need <strong><em>root
e1e8390280254f7f0580d701e583f670643d4f3fnilgun privileges</em></strong> for the installation step. In order
e1e8390280254f7f0580d701e583f670643d4f3fnilgun for the wrapper to set the user ID, it must be installed as
e1e8390280254f7f0580d701e583f670643d4f3fnilgun owner <code><em>root</em></code> and must have the setuserid
e1e8390280254f7f0580d701e583f670643d4f3fnilgun execution bit set for file modes.</p>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <h3>Setting paranoid permissions</h3>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>Although the suEXEC wrapper will check to ensure that its
e1e8390280254f7f0580d701e583f670643d4f3fnilgun caller is the correct user as specified with the
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <code>--with-suexec-caller</code> <code class="program"><a href="/programs/configure.html">configure</a></code>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun option, there is
e1e8390280254f7f0580d701e583f670643d4f3fnilgun always the possibility that a system or library call suEXEC uses
e1e8390280254f7f0580d701e583f670643d4f3fnilgun before this check may be exploitable on your system. To counter
e1e8390280254f7f0580d701e583f670643d4f3fnilgun this, and because it is best-practise in general, you should use
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen filesystem permissions to ensure that only the group httpd
e1e8390280254f7f0580d701e583f670643d4f3fnilgun runs as may execute suEXEC.</p>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>If for example, your web server is configured to run as:</p>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
4aa603e6448b99f9371397d439795c91a93637eand <pre class="prettyprint lang-config">User www
4aa603e6448b99f9371397d439795c91a93637eandGroup webgroup</pre>
c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowen
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <p>and <code class="program"><a href="/programs/suexec.html">suexec</a></code> is installed at
e1e8390280254f7f0580d701e583f670643d4f3fnilgun "/usr/local/apache2/bin/suexec", you should run:</p>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
e1e8390280254f7f0580d701e583f670643d4f3fnilgun <div class="example"><p><code>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun chgrp webgroup /usr/local/apache2/bin/suexec<br />
e1e8390280254f7f0580d701e583f670643d4f3fnilgun chmod 4750 /usr/local/apache2/bin/suexec<br />
e1e8390280254f7f0580d701e583f670643d4f3fnilgun </code></p></div>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <p>This will ensure that only the group httpd runs as can even
e1e8390280254f7f0580d701e583f670643d4f3fnilgun execute the suEXEC wrapper.</p>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="enable" id="enable">Enabling &amp; Disabling
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive suEXEC</a></h2>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen <p>Upon startup of httpd, it looks for the file
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim <code class="program"><a href="/programs/suexec.html">suexec</a></code> in the directory defined by the
5f48875017569cc7610b17d852c44e02684d9d5aerikabele <code>--sbindir</code> option (default is
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen "/usr/local/apache/sbin/suexec"). If httpd finds a properly
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen configured suEXEC wrapper, it will print the following message
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen to the error log:</p>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele
181e56d8b348d301d615ccf5465ae600fee2867berikabele<div class="example"><p><code>
9bcfc3697a91b5215893a7d0206865b13fc72148nd [notice] suEXEC mechanism enabled (wrapper: <var>/path/to/suexec</var>)
181e56d8b348d301d615ccf5465ae600fee2867berikabele</code></p></div>
5f48875017569cc7610b17d852c44e02684d9d5aerikabele
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you don't see this message at server startup, the server is
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen most likely not finding the wrapper program where it expects
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive it, or the executable is not installed <em>setuid root</em>.</p>
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you want to enable the suEXEC mechanism for the first time
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen and an Apache HTTP Server is already running you must kill and
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen restart httpd. Restarting it with a simple HUP or USR1 signal
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive will not be enough. </p>
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>If you want to disable suEXEC you should kill and restart
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen httpd after you have removed the <code class="program"><a href="/programs/suexec.html">suexec</a></code> file.</p>
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="usage" id="usage">Using suEXEC</a></h2>
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive <p>Requests for CGI programs will call the suEXEC wrapper only if
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim they are for a virtual host containing a <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim they are processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code>.</p>
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim wrapper is through the <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim <code class="directive"><a href="/mod/core.html#virtualhost">VirtualHost</a></code> definitions. By
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive setting this directive to values different from the main server
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive user ID, all requests for CGI resources will be executed as the
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="/mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>. If this
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim directive is not specified for a <code class="directive"><a href="/mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> then the main server userid
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive is assumed.</p>
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive <p><strong>User directories:</strong><br /> Requests that are
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive wrapper to execute CGI programs under the userid of the requested
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive user directory. The only requirement needed for this feature to
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive work is for CGI execution to be enabled for the user and that the
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive script must meet the scrutiny of the <a href="#model">security
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive checks</a> above. See also the
53feb1d7d644e42dcc617b35516598bb15e8bcc1slive <code>--with-suexec-userdir</code> <a href="#install">compile
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="debug" id="debug">Debugging suEXEC</a></h2>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>The suEXEC wrapper will write log information
5f48875017569cc7610b17d852c44e02684d9d5aerikabele to the file defined with the <code>--with-suexec-logfile</code>
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton is used. If you feel you have configured and
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton installed the wrapper properly, have a look at the log and the
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton error_log for the server to see where you may have gone astray.
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton The output of <code>"suexec -V"</code> will show the options
a6f3268ea98277eee9258bc6aed3e93f3df54633jorton used to compile suexec, if using a binary distribution.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="section">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock:
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive Warnings &amp; Examples</a></h2>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p><strong>NOTE!</strong> This section may not be
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen complete. For the latest revision of this section of the
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen documentation, see the <a href="http://httpd.apache.org/docs/trunk/suexec.html">Online
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Documentation</a> version.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive <p>There are a few points of interest regarding
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen the wrapper that can cause limitations on server setup. Please
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen review these before submitting any "bugs" regarding suEXEC.</p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <ul>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li><strong>suEXEC Points Of Interest</strong></li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun Hierarchy limitations
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
5f48875017569cc7610b17d852c44e02684d9d5aerikabele For security and efficiency reasons, all suEXEC requests
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen must remain within either a top-level document root for
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen virtual host requests, or one top-level personal document
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen root for userdir requests. For example, if you have four
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen VirtualHosts configured, you would need to structure all
7d37d896e4bce35ac213fededef06aff2d2f25d7rbowen of your VHosts' document roots off of one main httpd
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen document hierarchy to take advantage of suEXEC for
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen VirtualHosts. (Example forthcoming.)
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun suEXEC's PATH environment variable
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen This can be a dangerous thing to change. Make certain
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen every path you include in this define is a
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <strong>trusted</strong> directory. You don't want to
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen open people up to having someone from across the world
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen running a trojan horse on them.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen <li>
e1e8390280254f7f0580d701e583f670643d4f3fnilgun Altering the suEXEC code
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
181e56d8b348d301d615ccf5465ae600fee2867berikabele <p class="indent">
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen Again, this can cause <strong>Big Trouble</strong> if you
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen try this without knowing what you are doing. Stay away
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen from it if at all possible.
181e56d8b348d301d615ccf5465ae600fee2867berikabele </p>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </li>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen </ul>
57d0156f7bbd9ea3a72342cf9912aba61d118702rbowen
5a58787efeb02a1c3f06569d019ad81fd2efa06end</div></div>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd<div class="bottomlang">
7add1372edb1ee95a2c4d1314df4c7567bda7c62jim<p><span>Available Languages: </span><a href="/en/suexec.html" title="English">&nbsp;en&nbsp;</a> |
af84459fbf938e508fd10b01cb8d699c79083813takashi<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a> |
7f5b59ccc63c0c0e3e678a168f09ee6a2f51f9d0nd<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
e1e8390280254f7f0580d701e583f670643d4f3fnilgun<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e">&nbsp;tr&nbsp;</a></p>
727872d18412fc021f03969b8641810d8896820bhumbedooh</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
0d0ba3a410038e179b695446bb149cce6264e0abnd<script type="text/javascript"><!--//--><![CDATA[//><!--
727872d18412fc021f03969b8641810d8896820bhumbedoohvar comments_shortname = 'httpd';
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedoohvar comments_identifier = 'http://httpd.apache.org/docs/trunk/suexec.html';
0d0ba3a410038e179b695446bb149cce6264e0abnd(function(w, d) {
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
727872d18412fc021f03969b8641810d8896820bhumbedooh d.write('<div id="comments_thread"><\/div>');
0d0ba3a410038e179b695446bb149cce6264e0abnd var s = d.createElement('script');
0d0ba3a410038e179b695446bb149cce6264e0abnd s.type = 'text/javascript';
0d0ba3a410038e179b695446bb149cce6264e0abnd s.async = true;
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
0d0ba3a410038e179b695446bb149cce6264e0abnd (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
0d0ba3a410038e179b695446bb149cce6264e0abnd }
0d0ba3a410038e179b695446bb149cce6264e0abnd else {
727872d18412fc021f03969b8641810d8896820bhumbedooh d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
0d0ba3a410038e179b695446bb149cce6264e0abnd }
0d0ba3a410038e179b695446bb149cce6264e0abnd})(window, document);
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh//--><!]]></script></div><div id="footer">
07dc96d063d49299da433f84b5c5681da9bbdf68rbowen<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
0d0ba3a410038e179b695446bb149cce6264e0abndif (typeof(prettyPrint) !== 'undefined') {
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd prettyPrint();
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd}
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd//--><!]]></script>
645377709717e10daeb3b57531340ce14424c7c0jorton</body></html>