1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 <title>suEXEC Support - Apache HTTP Server</title>
9 <link href="./style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="./style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11 <link href="./style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="./style/css/prettify.css" />
12 <script src="./style/scripts/prettify.js" type="text/javascript">
15 <link href="./images/favicon.ico" rel="shortcut icon" /></head>
16 <body id="manual-page"><div id="page-header">
17 <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p>
18 <p class="apache">Apache HTTP Server Version 2.5</p>
19 <img alt="" src="./images/feather.gif" /></div>
20 <div class="up"><a href="./"><img title="<-" alt="<-" src="./images/left.gif" /></a></div>
22 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1>
24 <p><span>Available Languages: </span><a href="./en/suexec.html" title="English"> en </a> |
25 <a href="./fr/suexec.html" hreflang="fr" rel="alternate" title="Français"> fr </a> |
26 <a href="./ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
27 <a href="./ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
28 <a href="./tr/suexec.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p>
31 <p>The <strong>suEXEC</strong> feature provides users of the Apache
32 HTTP Server the ability
33 to run <strong>CGI</strong> and <strong>SSI</strong> programs
34 under user IDs different from the user ID of the calling
35 web server. Normally, when a CGI or SSI program executes, it
36 runs as the same user who is running the web server.</p>
38 <p>Used properly, this feature can reduce
39 considerably the security risks involved with allowing users to
40 develop and run private CGI or SSI programs. However, if suEXEC
41 is improperly configured, it can cause any number of problems
42 and possibly create new holes in your computer's security. If
43 you aren't familiar with managing <em>setuid root</em> programs
44 and the security issues they present, we highly recommend that
45 you not consider using suEXEC.</p>
47 <div id="quickview"><ul id="toc"><li><img alt="" src="./images/down.gif" /> <a href="#before">Before we begin</a></li>
48 <li><img alt="" src="./images/down.gif" /> <a href="#model">suEXEC Security Model</a></li>
49 <li><img alt="" src="./images/down.gif" /> <a href="#install">Configuring & Installing
51 <li><img alt="" src="./images/down.gif" /> <a href="#enable">Enabling & Disabling
53 <li><img alt="" src="./images/down.gif" /> <a href="#usage">Using suEXEC</a></li>
54 <li><img alt="" src="./images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li>
55 <li><img alt="" src="./images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock:
56 Warnings & Examples</a></li>
58 <div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
60 <h2><a name="before" id="before">Before we begin</a></h2>
62 <p>Before jumping head-first into this document,
63 you should be aware that certain assumptions are made about you and
64 the environment in which you will be using suexec.</p>
66 <p>First, it is assumed that you are using a UNIX
67 derivative operating system that is capable of
68 <strong>setuid</strong> and <strong>setgid</strong> operations.
69 All command examples are given in this regard. Other platforms,
70 if they are capable of supporting suEXEC, may differ in their
73 <p>Second, it is assumed you are familiar with
74 some basic concepts of your computer's security and its
75 administration. This involves an understanding of
76 <strong>setuid/setgid</strong> operations and the various
77 effects they may have on your system and its level of
80 <p>Third, it is assumed that you are using an
81 <strong>unmodified</strong> version of suEXEC code. All code
82 for suEXEC has been carefully scrutinized and tested by the
83 developers as well as numerous beta testers. Every precaution
84 has been taken to ensure a simple yet solidly safe base of
85 code. Altering this code can cause unexpected problems and new
86 security risks. It is <strong>highly</strong> recommended you
87 not alter the suEXEC code unless you are well versed in the
88 particulars of security programming and are willing to share
89 your work with the Apache HTTP Server development team for consideration.</p>
91 <p>Fourth, and last, it has been the decision of
92 the Apache HTTP Server development team to <strong>NOT</strong> make suEXEC part of
93 the default installation of Apache httpd. To this end, suEXEC
94 configuration requires of the administrator careful attention
95 to details. After due consideration has been given to the
96 various settings for suEXEC, the administrator may install
97 suEXEC through normal installation methods. The values for
98 these settings need to be carefully determined and specified by
99 the administrator to properly maintain system security during
100 the use of suEXEC functionality. It is through this detailed
101 process that we hope to limit suEXEC
102 installation only to those who are careful and determined
103 enough to use it.</p>
105 <p>Still with us? Yes? Good. Let's move on!</p>
106 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
107 <div class="section">
108 <h2><a name="model" id="model">suEXEC Security Model</a></h2>
110 <p>Before we begin configuring and installing
111 suEXEC, we will first discuss the security model you are about
112 to implement. By doing so, you may better understand what
113 exactly is going on inside suEXEC and what precautions are
114 taken to ensure your system's security.</p>
116 <p><strong>suEXEC</strong> is based on a setuid
117 "wrapper" program that is called by the main Apache HTTP Server.
118 This wrapper is called when an HTTP request is made for a CGI
119 or SSI program that the administrator has designated to run as
120 a userid other than that of the main server. When such a
121 request is made, Apache httpd provides the suEXEC wrapper with the
122 program's name and the user and group IDs under which the
123 program is to execute.</p>
125 <p>The wrapper then employs the following process
126 to determine success or failure -- if any one of these
127 conditions fail, the program logs the failure and exits with an
128 error, otherwise it will continue:</p>
132 <strong>Is the user executing this wrapper a valid user of
133 this system?</strong>
136 This is to ensure that the user executing the wrapper is
137 truly a user of the system.
142 <strong>Was the wrapper called with the proper number of
146 The wrapper will only execute if it is given the proper
147 number of arguments. The proper argument format is known
148 to the Apache HTTP Server. If the wrapper is not receiving
149 the proper number of arguments, it is either being
150 hacked, or there is something wrong with the suEXEC
151 portion of your Apache httpd binary.
156 <strong>Is this valid user allowed to run the
160 Is this user the user allowed to run this wrapper? Only
161 one user (the Apache user) is allowed to execute this
167 <strong>Does the target CGI or SSI program have an unsafe
168 hierarchical reference?</strong>
171 Does the target CGI or SSI program's path contain a leading
172 '/' or have a '..' backreference? These are not allowed; the
173 target CGI/SSI program must reside within suEXEC's document
174 root (see <code>--with-suexec-docroot=<em>DIR</em></code>
180 <strong>Is the target user name valid?</strong>
183 Does the target user exist?
188 <strong>Is the target group name valid?</strong>
191 Does the target group exist?
196 <strong>Is the target user <em>NOT</em> superuser?</strong>
200 suEXEC does not allow <code><em>root</em></code>
201 to execute CGI/SSI programs.
206 <strong>Is the target userid <em>ABOVE</em> the minimum ID
210 The minimum user ID number is specified during
211 configuration. This allows you to set the lowest possible
212 userid that will be allowed to execute CGI/SSI programs.
213 This is useful to block out "system" accounts.
218 <strong>Is the target group <em>NOT</em> the superuser
222 Presently, suEXEC does not allow the <code><em>root</em></code>
223 group to execute CGI/SSI programs.
228 <strong>Is the target groupid <em>ABOVE</em> the minimum ID
232 The minimum group ID number is specified during
233 configuration. This allows you to set the lowest possible
234 groupid that will be allowed to execute CGI/SSI programs.
235 This is useful to block out "system" groups.
240 <strong>Can the wrapper successfully become the target user
244 Here is where the program becomes the target user and
245 group via setuid and setgid calls. The group access list
246 is also initialized with all of the groups of which the
252 <strong>Can we change directory to the one in which the target
253 CGI/SSI program resides?</strong>
256 If it doesn't exist, it can't very well contain files. If we
257 can't change directory to it, it might as well not exist.
262 <strong>Is the directory within the httpd webspace?</strong>
265 If the request is for a regular portion of the server, is
266 the requested directory within suEXEC's document root? If
267 the request is for a <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory
268 within the directory configured as suEXEC's userdir (see
269 <a href="#install">suEXEC's configuration options</a>)?
274 <strong>Is the directory <em>NOT</em> writable by anyone
278 We don't want to open up the directory to others; only
279 the owner user may be able to alter this directories
285 <strong>Does the target CGI/SSI program exist?</strong>
288 If it doesn't exists, it can't very well be executed.
293 <strong>Is the target CGI/SSI program <em>NOT</em> writable
294 by anyone else?</strong>
297 We don't want to give anyone other than the owner the
298 ability to change the CGI/SSI program.
303 <strong>Is the target CGI/SSI program <em>NOT</em> setuid or
307 We do not want to execute programs that will then change
313 <strong>Is the target user/group the same as the program's
317 Is the user the owner of the file?
322 <strong>Can we successfully clean the process environment
323 to ensure safe operations?</strong>
326 suEXEC cleans the process' environment by establishing a
327 safe execution PATH (defined during configuration), as
328 well as only passing through those variables whose names
329 are listed in the safe environment list (also created
330 during configuration).
335 <strong>Can we successfully become the target CGI/SSI program
336 and execute?</strong>
339 Here is where suEXEC ends and the target CGI/SSI program begins.
344 <p>This is the standard operation of the
345 suEXEC wrapper's security model. It is somewhat stringent and
346 can impose new limitations and guidelines for CGI/SSI design,
347 but it was developed carefully step-by-step with security in
350 <p>For more information as to how this security
351 model can limit your possibilities in regards to server
352 configuration, as well as what security risks can be avoided
353 with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this
355 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
356 <div class="section">
357 <h2><a name="install" id="install">Configuring & Installing
360 <p>Here's where we begin the fun.</p>
362 <p><strong>suEXEC configuration
363 options</strong><br />
367 <dt><code>--enable-suexec</code></dt>
369 <dd>This option enables the suEXEC feature which is never
370 installed or activated by default. At least one
371 <code>--with-suexec-xxxxx</code> option has to be provided
372 together with the <code>--enable-suexec</code> option to let
373 APACI accept your request for using the suEXEC feature.</dd>
375 <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
377 <dd>The path to the <code>suexec</code> binary must be hard-coded
378 in the server for security reasons. Use this option to override
379 the default path. <em>e.g.</em>
380 <code>--with-suexec-bin=/usr/sbin/suexec</code></dd>
382 <dt><code>--with-suexec-caller=<em>UID</em></code></dt>
384 <dd>The <a href="mod/mpm_common.html#user">username</a> under which
385 httpd normally runs. This is the only user allowed to
386 execute the suEXEC wrapper.</dd>
388 <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt>
390 <dd>Define to be the subdirectory under users' home
391 directories where suEXEC access should be allowed. All
392 executables under this directory will be executable by suEXEC
393 as the user so they should be "safe" programs. If you are
394 using a "simple" <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>
395 directive (ie. one without a "*" in it) this should be set to the same
396 value. suEXEC will not work properly in cases where the <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code> directive points to
397 a location that is not the same as the user's home directory
398 as referenced in the <code>passwd</code> file. Default value is
399 "<code>public_html</code>".<br />
400 If you have virtual hosts with a different <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code> for each,
401 you will need to define them to all reside in one parent
402 directory; then name that parent directory here. <strong>If
403 this is not defined properly, "~userdir" cgi requests will
404 not work!</strong></dd>
406 <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>
408 <dd>Define as the DocumentRoot set for httpd. This will be
409 the only hierarchy (aside from <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The
410 default directory is the <code>--datadir</code> value with the suffix
411 "<code>/htdocs</code>", <em>e.g.</em> if you configure with
412 "<code>--datadir=/home/apache</code>" the directory
413 "<code>/home/apache/htdocs</code>" is used as document root for the
416 <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>
418 <dd>Define this as the lowest UID allowed to be a target user
419 for suEXEC. For most systems, 500 or 100 is common. Default
422 <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt>
424 <dd>Define this as the lowest GID allowed to be a target
425 group for suEXEC. For most systems, 100 is common and
426 therefore used as default value.</dd>
428 <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt>
430 <dd>This defines the filename to which all suEXEC
431 transactions and errors are logged (useful for auditing and
432 debugging purposes). By default the logfile is named
433 "<code>suexec_log</code>" and located in your standard logfile
434 directory (<code>--logfiledir</code>).</dd>
436 <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
438 <dd>Define a safe PATH environment to pass to CGI
439 executables. Default value is
440 "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>
443 <h3>Compiling and installing the suEXEC wrapper</h3>
446 <p>If you have enabled the suEXEC feature with the
447 <code>--enable-suexec</code> option the <code>suexec</code> binary
448 (together with httpd itself) is automatically built if you execute
449 the <code>make</code> command.</p>
451 <p>After all components have been built you can execute the
452 command <code>make install</code> to install them. The binary image
453 <code>suexec</code> is installed in the directory defined by the
454 <code>--sbindir</code> option. The default location is
455 "/usr/local/apache2/bin/suexec".</p>
457 <p>Please note that you need <strong><em>root
458 privileges</em></strong> for the installation step. In order
459 for the wrapper to set the user ID, it must be installed as
460 owner <code><em>root</em></code> and must have the setuserid
461 execution bit set for file modes.</p>
464 <h3>Setting paranoid permissions</h3>
467 <p>Although the suEXEC wrapper will check to ensure that its
468 caller is the correct user as specified with the
469 <code>--with-suexec-caller</code> <code class="program"><a href="./programs/configure.html">configure</a></code>
471 always the possibility that a system or library call suEXEC uses
472 before this check may be exploitable on your system. To counter
473 this, and because it is best-practise in general, you should use
474 filesystem permissions to ensure that only the group httpd
475 runs as may execute suEXEC.</p>
477 <p>If for example, your web server is configured to run as:</p>
479 <div class="example"><p><code>
484 <p>and <code class="program"><a href="./programs/suexec.html">suexec</a></code> is installed at
485 "/usr/local/apache2/bin/suexec", you should run:</p>
487 <div class="example"><p><code>
488 chgrp webgroup /usr/local/apache2/bin/suexec<br />
489 chmod 4750 /usr/local/apache2/bin/suexec<br />
492 <p>This will ensure that only the group httpd runs as can even
493 execute the suEXEC wrapper.</p>
495 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
496 <div class="section">
497 <h2><a name="enable" id="enable">Enabling & Disabling
500 <p>Upon startup of httpd, it looks for the file
501 <code class="program"><a href="./programs/suexec.html">suexec</a></code> in the directory defined by the
502 <code>--sbindir</code> option (default is
503 "/usr/local/apache/sbin/suexec"). If httpd finds a properly
504 configured suEXEC wrapper, it will print the following message
505 to the error log:</p>
507 <div class="example"><p><code>
508 [notice] suEXEC mechanism enabled (wrapper: <var>/path/to/suexec</var>)
511 <p>If you don't see this message at server startup, the server is
512 most likely not finding the wrapper program where it expects
513 it, or the executable is not installed <em>setuid root</em>.</p>
515 <p>If you want to enable the suEXEC mechanism for the first time
516 and an Apache HTTP Server is already running you must kill and
517 restart httpd. Restarting it with a simple HUP or USR1 signal
518 will not be enough. </p>
519 <p>If you want to disable suEXEC you should kill and restart
520 httpd after you have removed the <code class="program"><a href="./programs/suexec.html">suexec</a></code> file.</p>
521 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
522 <div class="section">
523 <h2><a name="usage" id="usage">Using suEXEC</a></h2>
525 <p>Requests for CGI programs will call the suEXEC wrapper only if
526 they are for a virtual host containing a <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if
527 they are processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code>.</p>
529 <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC
530 wrapper is through the <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in
531 <code class="directive"><a href="./mod/core.html#virtualhost">VirtualHost</a></code> definitions. By
532 setting this directive to values different from the main server
533 user ID, all requests for CGI resources will be executed as the
534 <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code>. If this
535 directive is not specified for a <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code> then the main server userid
538 <p><strong>User directories:</strong><br /> Requests that are
539 processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC
540 wrapper to execute CGI programs under the userid of the requested
541 user directory. The only requirement needed for this feature to
542 work is for CGI execution to be enabled for the user and that the
543 script must meet the scrutiny of the <a href="#model">security
544 checks</a> above. See also the
545 <code>--with-suexec-userdir</code> <a href="#install">compile
546 time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
547 <div class="section">
548 <h2><a name="debug" id="debug">Debugging suEXEC</a></h2>
550 <p>The suEXEC wrapper will write log information
551 to the file defined with the <code>--with-suexec-logfile</code>
552 option as indicated above. If you feel you have configured and
553 installed the wrapper properly, have a look at this log and the
554 error_log for the server to see where you may have gone astray.</p>
556 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
557 <div class="section">
558 <h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock:
559 Warnings & Examples</a></h2>
561 <p><strong>NOTE!</strong> This section may not be
562 complete. For the latest revision of this section of the
563 documentation, see the <a href="http://httpd.apache.org/docs/trunk/suexec.html">Online
564 Documentation</a> version.</p>
566 <p>There are a few points of interest regarding
567 the wrapper that can cause limitations on server setup. Please
568 review these before submitting any "bugs" regarding suEXEC.</p>
571 <li><strong>suEXEC Points Of Interest</strong></li>
574 Hierarchy limitations
577 For security and efficiency reasons, all suEXEC requests
578 must remain within either a top-level document root for
579 virtual host requests, or one top-level personal document
580 root for userdir requests. For example, if you have four
581 VirtualHosts configured, you would need to structure all
582 of your VHosts' document roots off of one main httpd
583 document hierarchy to take advantage of suEXEC for
584 VirtualHosts. (Example forthcoming.)
589 suEXEC's PATH environment variable
592 This can be a dangerous thing to change. Make certain
593 every path you include in this define is a
594 <strong>trusted</strong> directory. You don't want to
595 open people up to having someone from across the world
596 running a trojan horse on them.
601 Altering the suEXEC code
604 Again, this can cause <strong>Big Trouble</strong> if you
605 try this without knowing what you are doing. Stay away
606 from it if at all possible.
612 <div class="bottomlang">
613 <p><span>Available Languages: </span><a href="./en/suexec.html" title="English"> en </a> |
614 <a href="./fr/suexec.html" hreflang="fr" rel="alternate" title="Français"> fr </a> |
615 <a href="./ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
616 <a href="./ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
617 <a href="./tr/suexec.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p>
618 </div><div id="footer">
619 <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
620 <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div><script type="text/javascript">
621 if (typeof(prettyPrint) !== undefined) {
projects / apache / blob