Using Apache with Suexec on Linux
User IDs Suexec Will Use
Ken Coar
Friday, January 21, 2000 01:07:47 PM
Since the point of suexec is to handle certain
Web requests under a different identity than the Apache server user,
there needs to be some way to specify just which user.
There are two places from which Apache will draw this information:
- The username from URLs such as
<URL:http://somehost.com/~username/foo.cgi>,
OR
- The
User and Group directives in the server
configuration file, httpd.conf.
The username to use is determined by checking these in the above order.
The User and Group directives
are ordinarily ignored inside <VirtualHost>
containers, but in a suexec-enabled server they take
on new meaning for the virtual host, defining the identity under
which CGI scripts requested through that host will be executed.
If a virtual host doesn't have a User directive, it
inherits the server-wide value (which defines the username under
which the server itself is running) which will probably result
in normal, non-suexec-enabled behaviour.
Incorporating Suexec Into Your Apache Server
If you have an Apache 1.3 server binary, it's capable of using
a suexec wrapper if it finds one in the expected
place. (Until Apache 1.3.11, there was no convenient way to find out what
the 'expected place' is; as of version 1.3.11, you can find
out the value of the SUEXEC_BIN compile-time constant,
and whether there's a valid wrapper at that location, with the
'httpd -l' runtime switch.)
If you're working with an Apache server that you inherited, or
installed as part of a package, you might not be sure whether
suexec is in place or being used. If you want to
be sure about it, the best thing to do is to use the
Apache build procedure, which will dot the Is and cross the Ts
when you 'make install'.
The main mechanism suexec uses to ensure safety is
to rely on a bunch of settings made at compile-time. Likewise, the
only way Apache can be made to even think about using
suexec is it if has been compiled with that in mind.
This means that you'll probably need to compile both the
Apache server and suexec yourself.
This is easily done as part of the normal Apache build. Just use
the following command and the rest is easy:
% cd ./apache-1.3/
% ./configure \
> --enable-shared=max \
> --enable-module=most \
> --with-layout=Apache \
> --prefix=/usr/local/web/apache \
> --with-port=80 \
> --suexec-enable \
> --suexec-caller=nobody \
> --suexec-docroot=/usr/local/web
- Note:
- The Red Hat 6.1 Apache RPM actually installs
suexec
by default, which may cause you problems. If you don't want it,
you'll need to either rebuild Apache or disable the suexec
execution.
Disabling Suexec
If your Apache installation is currently suexec-enabled,
it's very simple to turn the wrapper off. Just do one or more
of the following to the suexec binary:
- Clear the
setuid bit
- Change the owner to be someone other than
root
- Delete or rename it
and then restart the Apache server.
Doing any one of these will render the suexec
facility unusable, and Apache won't even try to involve it.
To verify that your action has had the desired effect, verify
(if you're running Apache 1.3.11 or later) with the
"/usr/local/web/apache/bin/httpd -l" command.
If the output says suexec is enabled, you haven't
done enough yet.
Next: Testing Your Installation »
