suexec.html.en revision 35f745d0d98970c673c5ef89cd48bbd2beeb2efe
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maeder<!--#include virtual="header.html" -->
accab0bf9b8aa690d70174f41fe94370323959b9Christian MaederThe <b>suEXEC</b> feature, introduced in Apache 1.2 provides the ability to
1012fdd997ea1f35eee2ccdd4015199f09f18fe9Christian Maederrun <b>CGI</b> programs under user ids different from the user id of the
59316321b20af89de1c2d4cd53183e04b72662c4Christian Maedercalling web-server. Used properly, this feature can reduce considerably the
59316321b20af89de1c2d4cd53183e04b72662c4Christian Maederinsecurity of allowing users to run CGI programs. At the same time, improperly
59316321b20af89de1c2d4cd53183e04b72662c4Christian Maederconfigured, this facility can crash your computer, burn your house down and
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maedersteal all the money from your retirement fund. <b>:-)</b> If you aren't
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maederfamiliar with managing setuid root programs and the security issues they
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maederpresent, we highly recommend that you not consider using this feature.<p>
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian MaederHaving said all that, enabling this feature is purposefully difficult with
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maederthe intent that it will only be installed by users determined to use it and
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maederis not part of the normal install/compile process.<p>
d73d522b2ffe201e6233b576be9c0fb0ddbf6313Christian MaederFrom the top-level of the Apache source tree, type: <b><code>cd support [ENTER]</code></b><p>
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian MaederEdit the <code>suexec.h</code> file and change the following macros to match your
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maederlocal Apache installation.<p>
59316321b20af89de1c2d4cd53183e04b72662c4Christian Maeder * HTTPD_USER -- Define as the username under which Apache normally
ec676ed8bdc0f0a1d52793db1d75eb0c8d6f0f05Christian Maeder * runs. This is the only user allowed to execute
d73d522b2ffe201e6233b576be9c0fb0ddbf6313Christian Maeder * this program.
4654dbb45f8a4aea7aa5fed6be22c9efff19bfcaChristian Maeder#define HTTPD_USER "www"
accab0bf9b8aa690d70174f41fe94370323959b9Christian Maeder * LOG_EXEC -- Define this as a filename if you want all suEXEC
accab0bf9b8aa690d70174f41fe94370323959b9Christian Maeder * transactions and errors logged for auditing and
accab0bf9b8aa690d70174f41fe94370323959b9Christian Maeder * debugging purposes.
directory, edit src/httpd.h and recompile your Apache server. See <a href="install.html">Compiling and Installing Apache</a> for more info on this process.<p>
wrapper program where it expects it, or the executable is not installed <b><em>setuid root</em></b>. Check your installation and try again.<p>
One way to use <b>suEXEC</b> is through the <a href="mod/core.html#user"><b>User</b></a> and <a href="mod/core.html#group"><b>Group</b></a> directives in <a href="mod/core.html#virtualhost"><b>VirtualHost</b></a> definitions. By setting these directives to values
is for CGI execution to be enabled for the user and that the script must meet the scrutiny of the <a href="#model">security checks</a> above.
The suEXEC wrapper will write log information to the location defined in the <code>suexec.h</code> as indicated above. If you feel you have configured and installed the wrapper properly,
<!--#include virtual="footer.html" -->