What is suExec..??
Posted 08-12-2010 at 03:50 AM by aher.praju@yahoo.com
CGI programs are the most common way of servers to interact dynamically with users.
Abbreviation of Common Gateway Interface, a specification for transferring information between apache server and a CGI program. A CGI program is any program designed to accept and return data that conforms to the CGI specification.
If your application with CGI on your website then of course suExec be solution, provided by apache server. Apache users having the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.
suEXEC is based on a setuid "wrapper" program that is called by the main Apache web server. This wrapper is called when an HTTP request is made for a CGI or SSI program that the administrator has designated to run as a userid other than that of the main server. When such a request is made, Apache provides the suEXEC wrapper with the program's name and the user and group IDs under which the program is to execute
The wrapper will only execute if it is given the proper number of arguments. The proper argument format is known to the Apache web server. However, if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security.
Let’s take look on Configuration of suEXEC=>
APACI's suEXEC configuration options:-
--enable-suexec:-
This option enables the suEXEC feature which is never installed or activated by default. At least one --suexec-xxxxx option has to be provided together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature.
--suexec-caller=UID
The username under which Apache normally runs. This is the only user allowed to execute this program.
--suexec-docroot=DIR
Define as the DocumentRoot set for Apache. This will be the only hierarchy (aside from UserDirs) that can be used for suEXEC behavior. The default directory is the --datadir value with the suffix "/htdocs", e.g. if you configure with "--datadir=/home/apache" the directory "/home/apache/htdocs" is used as document root for the suEXEC wrapper.
--suexec-logfile=FILE
This defines the filename to which all suEXEC transactions and errors are logged (useful for auditing and debugging purposes). By default the logfile is named "suexec_log" and located in your standard logfile directory (--logfiledir).
--suexec-userdir=DIR
Define to be the subdirectory under users' home directories where suEXEC access should be allowed. All executables under this directory will be executable by suEXEC as the user so they should be "safe" programs. If you are using a "simple" UserDir directive (ie. one without a "*" in it) this should be set to the same value. suEXEC will not work properly in cases where the UserDir directive points to a location that is not the same as the user's home directory as referenced in the passwd file. Default value is "public_html".
--suexec-uidmin=UID
Define this as the lowest UID allowed to be a target user for suEXEC. For most systems, 500 or 100 is common. Default value is 100.
--suexec-gidmin=GID
Define this as the lowest GID allowed to be a target group for suEXEC. For most systems, 100 is common and therefore used as default value.
--suexec-safepath=PATH
Define a safe PATH environment to pass to CGI executables. Default value is "/usr/local/bin:/usr/bin:/bin".
Compiling and installing the suEXEC wrapper=>
If you have enabled the suEXEC feature with the --enable-suexec option the suexec binary (together with Apache itself) is automatically built if you execute the command "make".
After all components have been built you can execute the command "make install" to install them.
The binary image "suexec" is installed in the directory defined by the --sbindir option. Default location is "/usr/local/apache/sbin/suexec".
Please note that you need root privileges for the installation step. In order for the wrapper to set the user ID, it must be installed as owner root and must have the setuserid execution bit set for file modes.
Abbreviation of Common Gateway Interface, a specification for transferring information between apache server and a CGI program. A CGI program is any program designed to accept and return data that conforms to the CGI specification.
If your application with CGI on your website then of course suExec be solution, provided by apache server. Apache users having the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.
suEXEC is based on a setuid "wrapper" program that is called by the main Apache web server. This wrapper is called when an HTTP request is made for a CGI or SSI program that the administrator has designated to run as a userid other than that of the main server. When such a request is made, Apache provides the suEXEC wrapper with the program's name and the user and group IDs under which the program is to execute
The wrapper will only execute if it is given the proper number of arguments. The proper argument format is known to the Apache web server. However, if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security.
Let’s take look on Configuration of suEXEC=>
APACI's suEXEC configuration options:-
--enable-suexec:-
This option enables the suEXEC feature which is never installed or activated by default. At least one --suexec-xxxxx option has to be provided together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature.
--suexec-caller=UID
The username under which Apache normally runs. This is the only user allowed to execute this program.
--suexec-docroot=DIR
Define as the DocumentRoot set for Apache. This will be the only hierarchy (aside from UserDirs) that can be used for suEXEC behavior. The default directory is the --datadir value with the suffix "/htdocs", e.g. if you configure with "--datadir=/home/apache" the directory "/home/apache/htdocs" is used as document root for the suEXEC wrapper.
--suexec-logfile=FILE
This defines the filename to which all suEXEC transactions and errors are logged (useful for auditing and debugging purposes). By default the logfile is named "suexec_log" and located in your standard logfile directory (--logfiledir).
--suexec-userdir=DIR
Define to be the subdirectory under users' home directories where suEXEC access should be allowed. All executables under this directory will be executable by suEXEC as the user so they should be "safe" programs. If you are using a "simple" UserDir directive (ie. one without a "*" in it) this should be set to the same value. suEXEC will not work properly in cases where the UserDir directive points to a location that is not the same as the user's home directory as referenced in the passwd file. Default value is "public_html".
--suexec-uidmin=UID
Define this as the lowest UID allowed to be a target user for suEXEC. For most systems, 500 or 100 is common. Default value is 100.
--suexec-gidmin=GID
Define this as the lowest GID allowed to be a target group for suEXEC. For most systems, 100 is common and therefore used as default value.
--suexec-safepath=PATH
Define a safe PATH environment to pass to CGI executables. Default value is "/usr/local/bin:/usr/bin:/bin".
Compiling and installing the suEXEC wrapper=>
If you have enabled the suEXEC feature with the --enable-suexec option the suexec binary (together with Apache itself) is automatically built if you execute the command "make".
After all components have been built you can execute the command "make install" to install them.
The binary image "suexec" is installed in the directory defined by the --sbindir option. Default location is "/usr/local/apache/sbin/suexec".
Please note that you need root privileges for the installation step. In order for the wrapper to set the user ID, it must be installed as owner root and must have the setuserid execution bit set for file modes.
Total Comments 0
