Apache HTTP Server Version 2.1
+ +Apache HTTP Server Version 2.5
Apache HTTP Server Version 2.1
+ +Apache HTTP Server Version 2.5
The suEXEC feature provides - Apache users the ability +
The suEXEC feature provides users of the Apache + HTTP Server the ability to run CGI and SSI programs under user IDs different from the user ID of the calling - web-server. Normally, when a CGI or SSI program executes, it + web server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.
Used properly, this feature can reduce @@ -49,14 +54,14 @@
Debugging suEXEC Beware the Jabberwock:
Warnings & Examples
Before jumping head-first into this document, - you should be aware of the assumptions made on the part of the - Apache Group and this document.
+ you should be aware that certain assumptions are made about you and + the environment in which you will be using suexec.First, it is assumed that you are using a UNIX derivative operating system that is capable of @@ -81,11 +86,11 @@ security risks. It is highly recommended you not alter the suEXEC code unless you are well versed in the particulars of security programming and are willing to share - your work with the Apache Group for consideration.
+ your work with the Apache HTTP Server development team for consideration.Fourth, and last, it has been the decision of - the Apache Group to NOT make suEXEC part of - the default installation of Apache. To this end, suEXEC + the Apache HTTP Server development team to NOT make suEXEC part of + the default installation of Apache httpd. To this end, suEXEC configuration requires of the administrator careful attention to details. After due consideration has been given to the various settings for suEXEC, the administrator may install @@ -93,7 +98,7 @@ these settings need to be carefully determined and specified by the administrator to properly maintain system security during the use of suEXEC functionality. It is through this detailed - process that the Apache Group hopes to limit suEXEC + process that we hope to limit suEXEC installation only to those who are careful and determined enough to use it.
@@ -109,11 +114,11 @@ taken to ensure your system's security.suEXEC is based on a setuid - "wrapper" program that is called by the main Apache web server. + "wrapper" program that is called by the main Apache HTTP Server. This wrapper is called when an HTTP request is made for a CGI or SSI program that the administrator has designated to run as a userid other than that of the main server. When such a - request is made, Apache provides the suEXEC wrapper with the + request is made, Apache httpd provides the suEXEC wrapper with the program's name and the user and group IDs under which the program is to execute.
@@ -125,7 +130,7 @@This is to ensure that the user executing the wrapper is @@ -135,21 +140,21 @@
The wrapper will only execute if it is given the proper number of arguments. The proper argument format is known - to the Apache web server. If the wrapper is not receiving + to the Apache HTTP Server. If the wrapper is not receiving the proper number of arguments, it is either being hacked, or there is something wrong with the suEXEC - portion of your Apache binary. + portion of your Apache httpd binary.
Is this user the user allowed to run this wrapper? Only @@ -160,7 +165,7 @@
Does the target CGI or SSI program's path contain a leading @@ -172,7 +177,7 @@
Does the target user exist? @@ -180,7 +185,7 @@
Does the target group exist? @@ -192,14 +197,14 @@
- Presently, suEXEC does not allow root
+ suEXEC does not allow root
to execute CGI/SSI programs.
The minimum user ID number is specified during @@ -211,7 +216,7 @@
Presently, suEXEC does not allow the root
@@ -221,7 +226,7 @@
The minimum group ID number is specified during @@ -233,7 +238,7 @@
Here is where the program becomes the target user and @@ -249,18 +254,17 @@
If it doesn't exist, it can't very well contain files. If we - can't change directory to it, it might aswell not exist. + can't change directory to it, it might as well not exist.
If the request is for a regular portion of the server, is
the requested directory within suEXEC's document root? If
- the request is for a UserDir, is the requested directory
+ the request is for a UserDir, is the requested directory
within the directory configured as suEXEC's userdir (see
suEXEC's configuration options)?
We don't want to open up the directory to others; only @@ -278,7 +282,7 @@
If it doesn't exists, it can't very well be executed. @@ -287,7 +291,7 @@
We don't want to give anyone other than the owner the @@ -297,7 +301,7 @@
We do not want to execute programs that will then change @@ -307,7 +311,7 @@
Is the user the owner of the file? @@ -316,7 +320,7 @@
suEXEC cleans the process' environment by establishing a @@ -329,7 +333,7 @@
Here is where suEXEC ends and the target CGI/SSI program begins. @@ -378,8 +382,8 @@
--with-suexec-caller=UID--with-suexec-userdir=DIRUserDir
+ directive (ie. one without a "*" in it) this should be set to the same
+ value. suEXEC will not work properly in cases where the UserDir directive points to
a location that is not the same as the user's home directory
- as referenced in the passwd file. Default value is
- "public_html".passwd file. Default value is
+ "public_html".UserDir for each,
you will need to define them to all reside in one parent
directory; then name that parent directory here. If
this is not defined properly, "~userdir" cgi requests will
@@ -401,13 +405,13 @@
--with-suexec-docroot=DIR--datadir
- value with the suffix "/htdocs", e.g. if you configure
- with "--datadir=/home/apache" the directory
- "/home/apache/htdocs" is used as document root for the suEXEC
- wrapper.UserDirs) that can be used for suEXEC behavior. The
+ default directory is the --datadir value with the suffix
+ "/htdocs", e.g. if you configure with
+ "--datadir=/home/apache" the directory
+ "/home/apache/htdocs" is used as document root for the
+ suEXEC wrapper.--with-suexec-uidmin=UID--logfiledir).suexec_log" and located in your standard logfile
+ directory (--logfiledir).
--with-suexec-safepath=PATH/usr/local/bin:/usr/bin:/bin".
- Compiling and installing the suEXEC
- wrapper
- If you have enabled the suEXEC feature with the
- --enable-suexec option the suexec binary
- (together with Apache itself) is automatically built if you execute
- the make command.
- After all components have been built you can execute the
- command make install to install them. The binary image
- suexec is installed in the directory defined by the
- --sbindir option. The default location is
- "/usr/local/apache2/sbin/suexec".
- Please note that you need root
- privileges for the installation step. In order
- for the wrapper to set the user ID, it must be installed as
- owner root and must have the setuserid
- execution bit set for file modes.
Setting paranoid permissions
- Although the suEXEC wrapper will check to ensure that its
- caller is the correct user as specified with the
- --with-suexec-caller configure
- option, there is
- always the possibility that a system or library call suEXEC uses
- before this check may be exploitable on your system. To counter
- this, and because it is best-practise in general, you should use
- filesystem permissions to ensure that only the group Apache
- runs as may execute suEXEC.
If for example, your web-server is configured to run as:
- -
- User www
- Group webgroup
-
and suexec is installed at
- "/usr/local/apache2/sbin/suexec", you should run:
- chgrp webgroup /usr/local/apache2/bin/suexec
- chmod 4750 /usr/local/apache2/bin/suexec
-
This will ensure that only the group Apache runs as can even - execute the suEXEC wrapper.
+If you have enabled the suEXEC feature with the
+ --enable-suexec option the suexec binary
+ (together with httpd itself) is automatically built if you execute
+ the make command.
After all components have been built you can execute the
+ command make install to install them. The binary image
+ suexec is installed in the directory defined by the
+ --sbindir option. The default location is
+ "/usr/local/apache2/bin/suexec".
Please note that you need root
+ privileges for the installation step. In order
+ for the wrapper to set the user ID, it must be installed as
+ owner root and must have the setuserid
+ execution bit set for file modes.
Although the suEXEC wrapper will check to ensure that its
+ caller is the correct user as specified with the
+ --with-suexec-caller configure
+ option, there is
+ always the possibility that a system or library call suEXEC uses
+ before this check may be exploitable on your system. To counter
+ this, and because it is best-practise in general, you should use
+ filesystem permissions to ensure that only the group httpd
+ runs as may execute suEXEC.
If for example, your web server is configured to run as:
+ ++User www +Group webgroup ++ + +
and suexec is installed at
+ "/usr/local/apache2/bin/suexec", you should run:
+ chgrp webgroup /usr/local/apache2/bin/suexec
+ chmod 4750 /usr/local/apache2/bin/suexec
+
This will ensure that only the group httpd runs as can even + execute the suEXEC wrapper.
+Upon startup of Apache, it looks for the file +
Upon startup of httpd, it looks for the file
suexec in the directory defined by the
--sbindir option (default is
- "/usr/local/apache/sbin/suexec"). If Apache finds a properly
+ "/usr/local/apache/sbin/suexec"). If httpd finds a properly
configured suEXEC wrapper, it will print the following message
to the error log:
If you want to enable the suEXEC mechanism for the first time - and an Apache server is already running you must kill and - restart Apache. Restarting it with a simple HUP or USR1 signal + and an Apache HTTP Server is already running you must kill and + restart httpd. Restarting it with a simple HUP or USR1 signal will not be enough.
If you want to disable suEXEC you should kill and restart
- Apache after you have removed the suexec file.
suexec file.
NOTE! This section may not be complete. For the latest revision of this section of the - documentation, see the Apache Group's Online + documentation, see the Online Documentation version.
There are a few points of interest regarding @@ -560,7 +572,7 @@
For security and efficiency reasons, all suEXEC requests @@ -568,14 +580,14 @@ virtual host requests, or one top-level personal document root for userdir requests. For example, if you have four VirtualHosts configured, you would need to structure all - of your VHosts' document roots off of one main Apache + of your VHosts' document roots off of one main httpd document hierarchy to take advantage of suEXEC for VirtualHosts. (Example forthcoming.)
This can be a dangerous thing to change. Make certain @@ -587,7 +599,7 @@
Again, this can cause Big Trouble if you @@ -600,9 +612,33 @@