| |
|
|
|
suEXEC the CGI wrapper
A CGI wrapper is a system that executes scripts in
a safe and controlled fashion. It also allows scripts to
be executed as the same user and group of the virtual host.
This allows scripts to have proper permission to execute
and use the users directory tree. It also stops scripts
from effecting folders the owner shouldn't have access to.
Setting up suEXEC
suEXEC can be difficult to setup, it depends on whether
you compiled apache yourself, or whether it came with your
distribution. Your distribution may have configured suEXEC
correctly for you, in which case you'll just need to enable
it. You can check your suEXEC settings with the command:-
suexec -V
In our example we are running RedHat 9, which comes with
Apache 2 by default, however suEXEC is not configured properly
by default so you need to recompile suEXEC (not the whole
of apache) with the correct settings to get it working.
Here is our quick guide.
- Check your suEXEC settings
suexec -V
- The interesting bit of info is AP_DOC_ROOT. Default
is "/var/www". If this isn't the same as the
directory where your site files are ("/home"
for RH9) you're going to need to recompile it. If it is
the same then you're lucky! You can skip to step 15.
- Download and decompress the source RPM for httpd.
- Navigate to the "support" sub folder
of the httpd source directory (such as "/usr/src/redhat/SOURCES/httpd-2.0.40/support/")
- Edit the file "suexec.h" and change the lines:-
- #define AP_DOC_ROOT "/var/www"
to the location of your site files such as:-
#define AP_DOC_ROOT "/home"
- #define AP_HTTPD_USER
"apache"
to the user you have set for apache
- #define AP_LOG_EXEC "/some/long/thing/I've/forgot/suexec.log"
to something sensible like:-
#define AP_LOG_EXEC "/var/log/httpd/suexec.log"
- Now you'll need to configure the apache source:-
./configure --prefix=/usr/local/apache2
- Now:-
make
- And Now:-
make suexec
- Now replace your old suexec executable with your new
one, backing up the old one first:-
cd /usr/sbin
mv suexec suexec.bak
cp /usr/src/redhat/SOURCES/httpd-2.0.40/support/suexec
suexec
- Don't forget to change the group and owner to the same
as the old suexec file!!!
ls -l suexec
chgrp apache suexec
chown apache suexec
- Now make
executable:-
chmod 4510 suexec
- Ok that's suexec ready to go. Now open httpd.conf (make
a backup first) and add the line:-
LoadModule suexec_module
modules/mod_suexec.so
- Now suexec is in use you can define the user and group
that scripts should be executed as for each VirtualHost.
In the following examples username and groupname should
be swapped with the actual user and group you wan to use.
This should be the same as the owner and group of that
VirtualHost.
In Apache 2:-
<VirtualHost 111.111.111.111:80>
...
SuexecUserGroup username
groupname
...
</VirtualHost>
In Apache 1:-
<VirtualHost 111.111.111.111:80>
...
User username
Group groupname
...
</VirtualHost>
- Restart apache and away you go!
|
|
|
|
|
|
 |
|
|
|
|
|
|
Want
the latest news?
Then why not sign
up for our newsletter? Be notified immediately about new
products, upgrades, sales, discounts, bug fixes, site updates
and more. |
|
|
| |
|
|
