Suexec and Apache: A Tutorial Page 4

The default value for this option is PREFIX/share/htdocs, where 'PREFIX' comes from the value of the --prefix option, explicit or implied.

Another one of suexec's restrictions is that the user it's being asked to execute the script as mustn't be considered 'privileged.' On Linux and other Unix-like systems this generally means that it mustn't be the root user, but suexec takes this a step further and will refuse to execute as any user with a group ID less than the value of this option.

The default value for this option, if not specified, is 100.

This specifies the name of the file to which the wrapper will report errors and successful invocations. It is opened and accessed as root, but closed before control is passed to the script.

The default for this option is PREFIX/var/log/suexec_log, where 'PREFIX' is the value from the --prefix option.

Not only is the list of environment variables examined and sanitized before the script is invoked, but the default PATH is set to a known list of directories as well. This list is hard-coded at compile-time, and is defined by this option.

The default value for --suexec-safepath is /usr/local/bin:/usr/bin:/bin.

As with the --suexec-gidmin option described earlier, this option is used to inform suexec of forbidden UID values. If a request is made that would result in the execution of a script by a user with a UID equal to or less than this value, the wrapper will log the fact and not process the request. This foils things like a request for ~root/script.

The default value for this option is 100.

This option defines the default permission mode to be applied to files created by the script (if it doesn't explicitly set them itself). The umask is specified as a three-digit octal number indicating which permission bits should not be set; see the description of the umask(1) command for more details.

If this option isn't defined at compile-time, at run-time the suexec wrapper will inherit the umask setting from the parent Apache server process.

This option specifies the subdirectory underneath a user's home directory that suexec will use to find scripts for ~username-style URLs. This needs to match the setting of the UserDir directive in your server configuration files.

Note: suexec can only handle simple subdirectory expressions. The more complex pattern-handling capabilities of the mod_userdir module (which implements the UserDir directive) cannot be used with the suexec wrapper.

The default --suexec-userdir setting is public_html.

If you want to change the location of the suexec binary, you can do so by adding a new definition of SUEXEC_BIN to the compilation flags:

    % env CFLAGS="-Wall -DSUEXEC_BIN=\"/usr/local/web/apache/suexec\"" \
    >  ./configure --enable-suexec ...

You should be extremely cautious about changing other definitions, such as HTTPD_ROOT, however, since suexec isn't the only part of Apache that uses them.

User IDs Suexec Will Use

This article was originally published on Jul 12, 2000

Thanks for your registration, follow us on our social networks to keep up-to-date