Suexec and Apache: A Tutorial Page 2
/
") and cannot
include any up-level references (i.e., no "../
"
references either).
root
', and must be above the minimum UID and GID values
(set with the --suexecuidmin
and --suexec-gidmin
options to the configure
script, which both default to 100). In
addition, the group must be a valid name, and not just a numeric GID.chdir()
to the directory.
~username
request, the script
directory must be under the directory specified by DOC_ROOT
(defined by the --suexec-docroot
option to
configure
).group
or the other
categories.suexec
must be able to allocate memory in which to reproduce
the environment variable list.As you can see, the requirements for execution are pretty stringent. The sheer number of things that can go wrong argues for the use of the wrapper only when it's really necessary.
Enabling suexec
The suexec
wrapper isn't turned on or off by any particular
Apache directive setting. Instead, when the Apache server is compiled, one of
the constants set (SUEXEC_BIN
) is a string pointing to the
location of the suexec
binary. When the server starts, it looks
for the binary at that location; if it's found, suexec
is
enabled--not otherwise. This is very important.
This means that even a normal Apache build that was performed without any
thought given to using the wrapper can suddenly become
suexec
-enabled if a properly protected suexec
binary
is put into place between server restarts. In the master sources, the default
value of SUEXEC_BIN
is set to
"/sbin/suexec
"; the default value of
HTTPD_ROOT
is platform-specific:
Platform | Default value of HTTPD_ROOT |
Resulting default SUEXEC_BIN value |
---|---|---|
OS/2 | /os2httpd |
/os2httpd/sbin/suexec |
Windows | /apache |
/apache/sbin/suexec |
BeOS | /boot/home/apache |
/boot/home/apache/sbin/suexec |
Novell NetWare | sys:/apache |
sys:/apache/sbin/suexec |
All others | /usr/local/apache |
/usr/local/apache/sbin/suexec |
You may change the values of either--or both--of the
HTTPD_ROOT
and SUEXEC_BIN
constants when you
recompile the Apache server.