cd support [ENTER]
Edit the suexec.h
file and change the following macros to match your
local Apache installation.
From support/suexec.h
/*
* HTTPD_USER -- Define as the username under which Apache normally
* runs. This is the only user allowed to execute
* this program.
*/
#define HTTPD_USER "www"
/*
* LOG_EXEC -- Define this as a filename if you want all suEXEC
* transactions and errors logged for auditing and
* debugging purposes.
*/
#define LOG_EXEC "/usr/local/etc/httpd/logs/cgi.log"
/*
* DOC_ROOT -- Define as the DocuemntRoot set for Apache. This
* will be the only hierarchy (aside from UserDirs)
* that can be used for suEXEC behaviour.
*/
#define DOC_ROOT "/usr/local/etc/httpd/htdocs"
/*
* NNAME -- Define this as the name for the nobody account
* on your operating system. Most systems will just
* need the default 'nobody'.
*/
#define NNAME "nobody"
/* NGID -- Define this as the *number* for the nogroup group
* on your operating system. Most systems will have
* a -1 or -2. Others might have something above
* 65000.
*/
#define NGID -1
cc suexec.c -o suexec [ENTER]
.This should create the suexec wrapper executable.
From src/httpd.h
/* The path to the suEXEC wrapper */
#ifndef SUEXEC_BIN
#define SUEXEC_BIN "/usr/local/etc/httpd/sbin/suexec"
#endif
If your installation requires location of the wrapper program in a different directory, edit src/httpd.h and recompile your Apache server. See Compiling and Installing Apache for more info on this process.
In order for the wrapper to set the user id for execution requests it must me installed as owner root and must have the setuserid execution bit set for file modes. If you are not running a root user shell, do so now and execute the following commands.
chown root /usr/local/etc/httpd/sbin/suexec [ENTER]
chmod 4711 /usr/local/etc/httpd/sbin/suexec [ENTER]
Change the path to the suEXEC wrapper to match your system installation.
kill -1 `cat httpd.pid`
will not be enough.
Upon startup of the webserver, if Apache finds a properly configured suexec wrapper,
it will print the following message to the console.
Configuring Apache for use with suexec wrapper.
If you don't see this message at server startup, the server is most likely not finding the wrapper program where it expects it, or the executable is not installed setuid root. Check your installation and try again.
One way to use suEXEC is through the User and Group directives in VirtualHost definitions. By setting these directives to values different from the main server user id, all requests for CGI resources will be executed as the User and Group defined for that <VirtualHost>. If only one or neither of these directives are specified for a <VirtualHost> then the main server userid is assumed.
suEXEC can also be used to to execute CGI programs as the user to which the request is being directed. This is accomplished by using the ~ character prefixing the user id for whom execution is desired. The only requirement needed for this feature to work is for CGI execution to be enabled for the user and that the script must meet the scrutiny of the security checks above.
suexec.h
as indicated above. If you feel you have configured and installed the wrapper properly,
have a look at this log and the error_log for the server to see where you may have gone astray.