ServersSuexec and Apache: A Tutorial Page 2

Suexec and Apache: A Tutorial Page 2

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The requested script must be a valid Web-space reference relative to the
user’s directory or the DocumentRoot; it cannot be an absolute filesystem path
(i.e., it cannot start with a “/“) and cannot
include any up-level references (i.e., no “../
references either).

  • The username and group under which the script is to be run must be valid,
    cannot be ‘root‘, and must be above the minimum UID and GID values
    (set with the --suexecuidmin and --suexec-gidmin
    options to the configure script, which both default to 100). In
    addition, the group must be a valid name, and not just a numeric GID.
  • The wrapper must be able to change its idenity to the requested username
    and group.
  • The script (and obviously the directory in which it lives) must actually
    exist and the wrapper must be able to chdir() to the directory.
  • If the script isn’t from a ~username request, the script
    directory must be under the directory specified by DOC_ROOT
    (defined by the --suexec-docroot option to
  • The permissions on the specified script and its parent directory must not
    allow write access to either the group or the other
  • The script file cannot be setuid or setgid.
  • The script and the directory must be owned by the user and group as
    which it is to be executed.
  • The script must be executable by the user.
  • suexec must be able to allocate memory in which to reproduce
    the environment variable list.
  • As you can see, the requirements for execution are pretty stringent. The
    sheer number of things that can go wrong argues for the use of the wrapper only
    when it’s really necessary.

    Enabling suexec

    The suexec wrapper isn’t turned on or off by any particular
    Apache directive setting. Instead, when the Apache server is compiled, one of
    the constants set (SUEXEC_BIN) is a string pointing to the
    location of the suexec binary. When the server starts, it looks
    for the binary at that location; if it’s found, suexec is
    enabled–not otherwise. This is very important.

    This means that even a normal Apache build that was performed without any
    thought given to using the wrapper can suddenly become
    suexec-enabled if a properly protected suexec binary
    is put into place between server restarts. In the master sources, the default
    value of SUEXEC_BIN is set to
    /sbin/suexec“; the default value of
    HTTPD_ROOT is platform-specific:

    Platform Default value of HTTPD_ROOT Resulting default SUEXEC_BIN value
    OS/2 /os2httpd /os2httpd/sbin/suexec
    Windows /apache /apache/sbin/suexec
    BeOS /boot/home/apache /boot/home/apache/sbin/suexec
    Novell NetWare sys:/apache sys:/apache/sbin/suexec
    All others /usr/local/apache /usr/local/apache/sbin/suexec

    You may change the values of either–or both–of the
    HTTPD_ROOT and SUEXEC_BIN constants when you
    recompile the Apache server.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends & analysis

    Latest Posts

    Related Stories