Suexec and Apache: A Tutorial Page 2

By Ken Coar (Send Email)
Posted Jul 12, 2000

The requested script must be a valid Web-space reference relative to the user's directory or the DocumentRoot; it cannot be an absolute filesystem path (i.e., it cannot start with a "/") and cannot include any up-level references (i.e., no "../" references either).

The username and group under which the script is to be run must be valid, cannot be 'root', and must be above the minimum UID and GID values (set with the --suexecuidmin and --suexec-gidmin options to the configure script, which both default to 100). In addition, the group must be a valid name, and not just a numeric GID.

The wrapper must be able to change its idenity to the requested username and group.

The script (and obviously the directory in which it lives) must actually exist and the wrapper must be able to chdir() to the directory.

If the script isn't from a ~username request, the script directory must be under the directory specified by DOC_ROOT (defined by the --suexec-docroot option to configure).

The permissions on the specified script and its parent directory must not allow write access to either the group or the other categories.

The script file cannot be setuid or setgid.

The script and the directory must be owned by the user and group as which it is to be executed.

The script must be executable by the user.

suexec must be able to allocate memory in which to reproduce the environment variable list.

As you can see, the requirements for execution are pretty stringent. The sheer number of things that can go wrong argues for the use of the wrapper only when it's really necessary.

Enabling suexec

The suexec wrapper isn't turned on or off by any particular Apache directive setting. Instead, when the Apache server is compiled, one of the constants set (SUEXEC_BIN) is a string pointing to the location of the suexec binary. When the server starts, it looks for the binary at that location; if it's found, suexec is enabled--not otherwise. This is very important.

This means that even a normal Apache build that was performed without any thought given to using the wrapper can suddenly become suexec-enabled if a properly protected suexec binary is put into place between server restarts. In the master sources, the default value of SUEXEC_BIN is set to "/sbin/suexec"; the default value of HTTPD_ROOT is platform-specific:

Platform	Default value of `HTTPD_ROOT`	Resulting default `SUEXEC_BIN` value
OS/2	`/os2httpd`	`/os2httpd/sbin/suexec`
Windows	`/apache`	`/apache/sbin/suexec`
BeOS	`/boot/home/apache`	`/boot/home/apache/sbin/suexec`
Novell NetWare	`sys:/apache`	`sys:/apache/sbin/suexec`
All others	`/usr/local/apache`	`/usr/local/apache/sbin/suexec`

You may change the values of either--or both--of the HTTPD_ROOT and SUEXEC_BIN constants when you recompile the Apache server.

Page 2 of 9

Previous Page 1 2 3 4 5 6 7 8 9 Next Page

IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD

Which topic are you interested in?

Mobile

Security

Networks/IoT

Cloud

Data Storage

Applications

Development

IT Management

Other

What is your company size?

What is your job title?

What is your job function?

Searching our resource database to find your matches...

0 Comments (click to add your comment)

Advertiser Disclosure: Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.

Thanks for your registration, follow us on our social networks to keep up-to-date