- <p><strong>Compiling and installing the suEXEC
- wrapper</strong><br />
- If you have enabled the suEXEC feature with the
- <code>--enable-suexec</code> option the <code>suexec</code> binary
- (together with Apache itself) is automatically built if you execute
- the <code>make</code> command.<br />
- After all components have been built you can execute the
- command <code>make install</code> to install them. The binary image
- <code>suexec</code> is installed in the directory defined by the
- <code>--sbindir</code> option. The default location is
- "/usr/local/apache2/sbin/suexec".<br />
- Please note that you need <strong><em>root
- privileges</em></strong> for the installation step. In order
- for the wrapper to set the user ID, it must be installed as
- owner <code><em>root</em></code> and must have the setuserid
- execution bit set for file modes.</p>
-
- <p><strong>Setting paranoid permissions</strong><br />
- Although the suEXEC wrapper will check to ensure that its
- caller is the correct user as specified with the
- <code>--with-suexec-caller</code> <code class="program"><a href="./programs/configure.html">configure</a></code>
- option, there is
- always the possibility that a system or library call suEXEC uses
- before this check may be exploitable on your system. To counter
- this, and because it is best-practise in general, you should use
- filesystem permissions to ensure that only the group Apache
- runs as may execute suEXEC.</p>
-
- <p>If for example, your web-server is configured to run as:</p>
-
-<div class="example"><p><code>
- User www<br />
- Group webgroup<br />
-</code></p></div>
-
- <p>and <code class="program"><a href="./programs/suexec.html">suexec</a></code> is installed at
- "/usr/local/apache2/sbin/suexec", you should run:</p>
-
-<div class="example"><p><code>
- chgrp webgroup /usr/local/apache2/bin/suexec<br />
- chmod 4750 /usr/local/apache2/bin/suexec<br />
-</code></p></div>
-
- <p>This will ensure that only the group Apache runs as can even
- execute the suEXEC wrapper.</p>
+ <h3>Compiling and installing the suEXEC wrapper</h3>
+
+
+ <p>If you have enabled the suEXEC feature with the
+ <code>--enable-suexec</code> option the <code>suexec</code> binary
+ (together with httpd itself) is automatically built if you execute
+ the <code>make</code> command.</p>
+
+ <p>After all components have been built you can execute the
+ command <code>make install</code> to install them. The binary image
+ <code>suexec</code> is installed in the directory defined by the
+ <code>--sbindir</code> option. The default location is
+ "/usr/local/apache2/bin/suexec".</p>
+
+ <p>Please note that you need <strong><em>root
+ privileges</em></strong> for the installation step. In order
+ for the wrapper to set the user ID, it must be installed as
+ owner <code><em>root</em></code> and must have the setuserid
+ execution bit set for file modes.</p>
+
+
+ <h3>Setting paranoid permissions</h3>
+
+
+ <p>Although the suEXEC wrapper will check to ensure that its
+ caller is the correct user as specified with the
+ <code>--with-suexec-caller</code> <code class="program"><a href="./programs/configure.html">configure</a></code>
+ option, there is
+ always the possibility that a system or library call suEXEC uses
+ before this check may be exploitable on your system. To counter
+ this, and because it is best-practise in general, you should use
+ filesystem permissions to ensure that only the group httpd
+ runs as may execute suEXEC.</p>
+
+ <p>If for example, your web server is configured to run as:</p>
+
+ <pre class="prettyprint lang-config">
+User www
+Group webgroup
+ </pre>
+
+
+ <p>and <code class="program"><a href="./programs/suexec.html">suexec</a></code> is installed at
+ "/usr/local/apache2/bin/suexec", you should run:</p>
+
+ <div class="example"><p><code>
+ chgrp webgroup /usr/local/apache2/bin/suexec<br />
+ chmod 4750 /usr/local/apache2/bin/suexec<br />
+ </code></p></div>
+
+ <p>This will ensure that only the group httpd runs as can even
+ execute the suEXEC wrapper.</p>
+