no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | apache_suexec [2015/06/02 03:04] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Apache suExec ====== | ||
+ | * [[Apache]] | ||
+ | * [[Apache fcgid]] | ||
+ | * [[Apache Security]] | ||
+ | * [[PHP CGI]] | ||
+ | |||
+ | suExec lets you execute CGI processes as a separate user than the webserver, usually unprivileged. | ||
+ | |||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | |||
+ | ==== Installation ==== | ||
+ | |||
+ | SuExec is very strict on security. | ||
+ | |||
+ | You can display the SuExec compile-time variables: | ||
+ | |||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | As a reference, here are the settings for an Ubuntu 13.04 install: | ||
+ | |||
+ | < | ||
+ | -D AP_DOC_ROOT="/ | ||
+ | -D AP_GID_MIN=100 | ||
+ | -D AP_HTTPD_USER=" | ||
+ | -D AP_LOG_EXEC="/ | ||
+ | -D AP_SAFE_PATH="/ | ||
+ | -D AP_UID_MIN=100 | ||
+ | -D AP_USERDIR_SUFFIX=" | ||
+ | </ | ||
+ | |||
+ | Also, one from Gentoo with Apache 2.2.29: | ||
+ | |||
+ | < | ||
+ | -D AP_DOC_ROOT="/ | ||
+ | -D AP_GID_MIN=100 | ||
+ | -D AP_HTTPD_USER=" | ||
+ | -D AP_LOG_EXEC="/ | ||
+ | -D AP_SAFE_PATH="/ | ||
+ | -D AP_SUEXEC_UMASK=077 | ||
+ | -D AP_UID_MIN=1000 | ||
+ | -D AP_USERDIR_SUFFIX=" | ||
+ | </ | ||
+ | |||
+ | The commands executed by SuExec must have a parent directory of DOC_ROOT. | ||
+ | |||
+ | GID_MIN and UID_MIN are minimum values, to prevent users with low-level privileges from executing scripts. | ||
+ | |||
+ | HTTPD_USER is the user that Apache drops to after starting the program as root. | ||
+ | |||
+ | These are all configured when installing Apache. | ||
+ | |||
+ | === Build-time Gotcha === | ||
+ | |||
+ | When compiling Apache, if you change the SuExec configuration variables, do a full '' | ||
+ | |||
+ | ==== Apache Configuration ==== | ||
+ | |||
+ | The only directive that needs to be set inside the Apache config is '' | ||
+ | |||
+ | < | ||
+ | SuexecUserGroup www www | ||
+ | </ | ||
+ | ==== OS X ==== | ||
+ | |||
+ | Here is an example of the configuration options on OSX. | ||
+ | |||
+ | < | ||
+ | ./configure \ | ||
+ | --enable-suexec \ | ||
+ | --with-suexec-docroot=/ | ||
+ | --with-suexec-bin=/ | ||
+ | --with-suexec-caller=daemon \ | ||
+ | --with-suexec-uidmin=500 \ | ||
+ | --with-suexec-logfile=/ | ||
+ | --with-suexec-gidmin=20 \ | ||
+ | --with-suexec-userdir=Sites \ | ||
+ | </ | ||
+ | |||
+ | And the result of '' | ||
+ | |||
+ | < | ||
+ | -D AP_DOC_ROOT="/ | ||
+ | -D AP_GID_MIN=20 | ||
+ | -D AP_HTTPD_USER=" | ||
+ | -D AP_LOG_EXEC="/ | ||
+ | -D AP_SAFE_PATH="/ | ||
+ | -D AP_UID_MIN=500 | ||
+ | -D AP_USERDIR_SUFFIX=" | ||
+ | </ | ||
+ | |||
+ | Again, note that HTTPD_USER is '' | ||
+ | |||
+ | Related config: | ||
+ | |||
+ | < | ||
+ | SuexecUserGroup steve staff | ||
+ | </ | ||
+ | |||
+ | ==== Gentoo ==== | ||
+ | |||
+ | * SUEXEC_SAFEPATH: | ||
+ | * | ||
+ | * SUEXEC_CALLER: | ||
+ | * | ||
+ | * SUEXEC_MINUID: | ||
+ | * SUEXEC_MINGID: | ||
+ | * | ||
+ | * |