no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== Apache suExec ======
+  * [[Apache]]
+  * [[Apache fcgid]]
+  * [[Apache Security]]
+  * [[PHP CGI]]
+suExec lets you execute CGI processes as a separate user than the webserver, usually unprivileged.
+  * [[http://httpd.apache.org/docs/current/suexec.html|suEXEC Support]]
+  * [[http://httpd.apache.org/docs/current/mod/mod_suexec.html|Apache Module mod_suexec]]
+  * [[http://httpd.apache.org/docs/current/mod/core.html#suexec|mod_core Suexec Directive]]
+==== Installation ====
+SuExec is very strict on security.  When compiling Apache, you need to set the SuExec parameters that will be used.
+You can display the SuExec compile-time variables:
+<code>
+/usr/lib/apache2/suexec -V
+</code>
+As a reference, here are the settings for an Ubuntu 13.04 install:
+<code>
+ -D AP_DOC_ROOT="/var/www"
+ -D AP_GID_MIN=100
+ -D AP_HTTPD_USER="www-data"
+ -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
+ -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
+ -D AP_UID_MIN=100
+ -D AP_USERDIR_SUFFIX="public_html"
+</code>
+Also, one from Gentoo with Apache 2.2.29:
+<code>
+ -D AP_DOC_ROOT="/var/www"
+ -D AP_GID_MIN=100
+ -D AP_HTTPD_USER="apache"
+ -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
+ -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
+ -D AP_SUEXEC_UMASK=077
+ -D AP_UID_MIN=1000
+ -D AP_USERDIR_SUFFIX="public_html"
+</code>
+The commands executed by SuExec must have a parent directory of DOC_ROOT.  They do not immediately need to be in that directory, just below it.  So, ''/var/www/cgi-bin'' would be fine.
+GID_MIN and UID_MIN are minimum values, to prevent users with low-level privileges from executing scripts.
+HTTPD_USER is the user that Apache drops to after starting the program as root.
+These are all configured when installing Apache.
+=== Build-time Gotcha ===
+When compiling Apache, if you change the SuExec configuration variables, do a full ''make clean'' on the directory, or the new compile will still use the old variables.
+==== Apache Configuration ====
+The only directive that needs to be set inside the Apache config is ''SuexecUserGroup''.  It can be set either globally or per-virtualhost.
+<code>
+SuexecUserGroup www www
+</code>
+==== OS X ====
+Here is an example of the configuration options on OSX.
+<code>
+./configure \
+        --enable-suexec \
+        --with-suexec-docroot=/var/www \
+        --with-suexec-bin=/usr/local/apache2/bin/suexec \
+        --with-suexec-caller=daemon \
+        --with-suexec-uidmin=500 \
+        --with-suexec-logfile=/usr/local/apache2/logs/suexec_log \
+        --with-suexec-gidmin=20 \
+        --with-suexec-userdir=Sites \
+</code>
+And the result of ''suexec -V'':
+<code>
+ -D AP_DOC_ROOT="/private/var/www"
+ -D AP_GID_MIN=20
+ -D AP_HTTPD_USER="daemon"
+ -D AP_LOG_EXEC="/usr/local/apache2/logs/suexec_log"
+ -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
+ -D AP_UID_MIN=500
+ -D AP_USERDIR_SUFFIX="Sites"
+</code>
+Again, note that HTTPD_USER is ''daemon'', or the user that Apache runs as.  The GID_MIN and UID_MIN are set for the minimum uids of the user running the executables.
+Related config:
+<code>
+SuexecUserGroup steve staff
+</code>
+==== Gentoo ====
+  *  SUEXEC_SAFEPATH: Default PATH for suexec (default: /usr/local/bin:/usr/bin:/bin)
+  *   SUEXEC_LOGFILE: Path to the suexec logfile (default: /var/log/apache2/suexec_log)
+  *    SUEXEC_CALLER: Name of the user Apache is running as (default: apache)
+  *   SUEXEC_DOCROOT: Directory in which suexec will run scripts (default: /var/www)
+  *    SUEXEC_MINUID: Minimum UID, which is allowed to run scripts via suexec (default: 1000)
+  *    SUEXEC_MINGID: Minimum GID, which is allowed to run scripts via suexec (default: 100)
+  *   SUEXEC_USERDIR: User subdirectories (like /home/user/html) (default: public_html)
+  *     SUEXEC_UMASK: Umask for the suexec process (default: 077)

Trace:

Differences

Navigation

Search

Toolbox

QR Code