Suexec and Apache: A Tutorial Page 8
suexec wrapper isn't perfect, and some aspects of its
design result in it being less than ideally suited to all environments. Here
are some of the more common questions, changes, and enhancements that come up
again and again:
- The single
--suexec-docrootvalue is irksome. I have 50 virtual hosts with
/vhost2, and so on. The only way I can get
suexecto work with these is to use
--suexec-docroot=/, which hardly seems secure.
- This is unfortunately the way it is with the
suexecthat comes with Apache up through version 1.3.11. The value you specify for
--suexec-docrootmust be an ancestor of all of the non-
~usernamedocuments that use it. This restriction may be lifted in a future version, but even then it would require settings specified at compile-time, such as with something like
- I only want
suexecto be used in certain directories or user accounts.
- As of Apache 1.3.11,
suexecis an all-or-nothing proposition. If it's available and enabled, it will be used in all cases when a CGI script is invoked. A future version of Apache may provide a means of controlling this with greater granularity.
- Why don't the Apache CGI error messages say there's a problem with
- Because Apache really doesn't know that for a fact. All it knows is that
called an internal function to invoke the CGI, and the interaction with the
script failed as described in the error message. The error might have been
caused by a failure to meet
suexec's requirements, or it may have been the result of a bona fide error in the script itself.
- Why aren't
suexec's error messages logged in the Apache server log?
- In order for the messages from
suexecto appear in the main server's log, they would have to actually be passed to Apache so that Apache did the logging. Not only is this inappropriate for the Web server to do, but there would be additional confusion about into which error log the messages should go.
There are a few articles on the Web about working with the
suexec wrapper. Don't neglect the
man page included
with the source; you can view it directly with
% cd ./apache-1.3/src/support/ % man ./suexec.8
You can also find some documentation at the following URLs:
http://www.apache.org/docs/suexec_1_2.html> (this is largely obsolete)
suexec application is a double-edged sword. It allows you to
execute scripts under other personæ than the basic server
user--but it can also cut you unexpectedly if you're not careful. A single
misconfiguration can break all of your CGI scripts, so consider and plan
carefully, and test thoroughly, before implementing the wrapper on your
Got a Topic You Want Covered?