Suexec and Apache: A Tutorial Page 5

Since the point of suexec is to handle certain Web requests under a different identity than the Apache server user, there needs to be some way to specify just which user. There are two places from which Apache will draw this information:

• The username from URLs such as <URL:http://somehost.com/~username/foo.cgi>,
  OR
• The User and Group directives in the server configuration file, httpd.conf.

The username to use is determined by checking these in the above order.

The User and Group directives are ordinarily ignored inside <VirtualHost> containers, but in a suexec-enabled server they take on new meaning for the virtual host, defining the identity under which CGI scripts requested through that host will be executed. If a virtual host doesn't have a User directive, it inherits the server-wide value (which defines the username under which the server itself is running) which will probably result in normal, non-suexec-enabled behaviour.

Incorporating Suexec Into Your Apache Server
If you have an Apache 1.3 server binary, it's capable of using a suexec wrapper if it finds one in the expected place. (Until Apache 1.3.11, there was no convenient way to find out what the 'expected place' is; as of version 1.3.11, you can find out the value of the SUEXEC_BIN compile-time constant, and whether there's a valid wrapper at that location, with the 'httpd -l' runtime switch.)

If you're working with an Apache server that you inherited, or installed as part of a package, you might not be sure whether suexec is in place or being used. If you want to be sure about it, the best thing to do is to use the Apache build procedure, which will dot the Is and cross the Ts when you 'make install'.

The main mechanism suexec uses to ensure safety is to rely on a bunch of settings made at compile-time. Likewise, the only way Apache can be made to even think about using suexec is it if has been compiled with that in mind. This means that you'll probably need to compile both the Apache server and suexec yourself. This is easily done as part of the normal Apache build. Just use the following command and the rest is easy:

    % cd ./apache-1.3/
    % ./configure \
    >        --enable-shared=max \
    >        --enable-module=most \
    >        --with-layout=Apache \
    >        --prefix=/usr/local/web/apache \
    >        --with-port=80 \
    >        --suexec-enable \
    >        --suexec-caller=nobody \
    >        --suexec-docroot=/usr/local/web
  


Note:
The Red Hat 6.1 Apache RPM actually installs suexec by
default, which may cause you problems. If you don't want it, you'll need to
either rebuild Apache or disable the suexec execution. 



Disabling Suexec




If your Apache installation is currently suexec-enabled, it's very
simple to turn the wrapper off. Just do one or more of the following to the
suexec binary: 





Clear the setuid bit


Change the owner to be someone other than root


Delete or rename it