Suexec and Apache: A Tutorial Page 5
Since the point of
suexec is to handle certain Web requests
under a different identity than the Apache server user, there needs to be some
way to specify just which user. There are two places from which Apache
will draw this information:
The username from URLs such as
Groupdirectives in the server configuration file,
The username to use is determined by checking these in the above order.
Group directives are ordinarily
<VirtualHost> containers, but in a
suexec-enabled server they take on new meaning for the virtual
host, defining the identity under which CGI scripts requested through that host
will be executed. If a virtual host doesn't have a
it inherits the server-wide value (which defines the username under which the
server itself is running) which will probably result in normal,
Incorporating Suexec Into Your Apache Server
If you have an Apache 1.3 server binary, it's capable of using a
suexec wrapper if it finds one in the expected place. (Until
Apache 1.3.11, there was no convenient way to find out what the 'expected
place' is; as of version 1.3.11, you can find out the value of the
SUEXEC_BIN compile-time constant, and whether there's a valid
wrapper at that location, with the '
httpd -l' runtime
If you're working with an Apache server that you inherited, or installed as
part of a package, you might not be sure whether
suexec is in
place or being used. If you want to be sure about it, the best thing to
do is to use the Apache build procedure, which will dot the Is and cross the Ts
when you '
The main mechanism
suexec uses to ensure safety is to rely on
a bunch of settings made at compile-time. Likewise, the only way Apache can be
made to even think about using
suexec is it if has been
compiled with that in mind. This means that you'll probably need to compile
both the Apache server and
suexec yourself. This is easily done as
part of the normal Apache build. Just use the following command and the rest is
% cd ./apache-1.3/ % ./configure \ > --enable-shared=max \ > --enable-module=most \ > --with-layout=Apache \ > --prefix=/usr/local/web/apache \ > --with-port=80 \ > --suexec-enable \ > --suexec-caller=nobody \ > --suexec-docroot=/usr/local/web
- The Red Hat 6.1 Apache RPM actually installs
suexecby default, which may cause you problems. If you don't want it, you'll need to either rebuild Apache or disable the
If your Apache installation is currently
suexec-enabled, it's very
simple to turn the wrapper off. Just do one or more of the following to the
Change the owner to be someone other than
- Delete or rename it
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...