Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to use Suexec with Apache2 ?
Top Forums UNIX for Dummies Questions & Answers How to use Suexec with Apache2 ? Post 302161951 by kernings on Sunday 27th of January 2008 04:56:37 AM
Old 01-27-2008
How to use Suexec with Apache2 ?
Hello guys

I'm trying to use Suexec in my computer. I've installed apache with default settings (so Suexec is installed with my emerge Apache , Gentoo) .

My settings on /etc/conf.d/apache2
Code:
# SUEXEC Enables running CGI scripts (in USERDIR) through suexec.
# USERDIR Enables /~username mapping to /home/username/public_html
#
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D SUEXEC -D PHP5 -D USERDIR "

When I'm restarting my apache, I've the correct line on my log who indicate Suexec is running well :
Code:
[Sat Jan 26 15:33:39 2008] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7i PHP/5.2.5-pl0-gentoo configur$
[Sat Jan 26 15:41:44 2008] [notice] caught SIGTERM, shutting down
[Sat Jan 26 15:41:46 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Jan 26 15:41:47 2008] [notice] Digest: generating secret for digest authentication ...
[Sat Jan 26 15:41:47 2008] [notice] Digest: done

I create an user
/usr/sbin/useradd evolv -m -s /bin/bash

In /var/www/evolv/public_html folder, I create php file with :
"<?php echo "user: ".exec('whoami');?>"

My vhost below :
Code:
<VirtualHost *:80>
ServerAdmin webmaster@evolv.com
DocumentRoot /var/www/evolv/public_html
ServerName www.evolv.com
ServerAlias evolv.com
SuexecUserGroup evolv evolv
CustomLog /var/log/apache2/evolv-web-access_log combined
ErrorLog /var/log/apache2/evolv-web-error_log
<Directory />
AllowOverride All
Options FollowSymLinks -Indexes Includes ExecCGI
</Directory>
</VirtualHost>

Code:
# suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/apache2/suexec_log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_SUEXEC_UMASK=077
-D AP_UID_MIN=1000
-D AP_USERDIR_SUFFIX="public_html"

SuexecUserGroup is well using because, if I changed anything in this line, I have an error when I'm restarting apache. So, no error on apache restart, but always : "user: apache"! What's wrong ?

Sorry for my poor english Smilie , I'm french!

Thanks all
Bye
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Suexec solution

guys here's a section of my program written in perl. This part is used to create directories with 777 mode. Now i know about 777 being a security hole. Could anyone provide me a possible solution to this using suexec????????? Segment system mkdir ".$file_folder", 0777 or die "Can't make... (13 Replies)
Discussion started by: the_last_rites
13 Replies

2. UNIX for Advanced & Expert Users

apache suexec

I compiled apache 1.3.33 with suexec support like ./configure \ "--with-layout=Apache" \ "--prefix=/usr/local/apache" \ "--enable-module=ssl" \ "--activate-module=src/modules/php4/libphp4.a" \ "--activate-module=src/modules/perl/libperl.a" \ "--enable-module=perl" \ "--enable-module=most"... (0 Replies)
Discussion started by: hassan1
0 Replies

3. SuSE

apache2 ldap

I am using apache2-2.0.49-27.8 supply with suse Enterprise 9 CD, the installation went fine. But am tring to configure apache2 to authenticate to LDAP, so added "ldap" to /etc/sysconfig/apache2 APACHE_MODULE="ldap" and the to /etc/apache2/httpd.conf LDAPSharedCacheSize 200000 ... (0 Replies)
Discussion started by: hassan1
0 Replies

4. UNIX for Advanced & Expert Users

suexec problem

Hi all, I am trying to setup apache w/ suexec to avoid permission problems w/ apache user and website user and also to be able to run a second (test) domain on the same server. So far I got fcgi w/o suexec running perfectly (logs confirm that). But as soon as I enable the suexec statement in the... (0 Replies)
Discussion started by: harrstar
0 Replies

5. IP Networking

Using SSL in Apache2

I am running apache2 in my local network and I am learning about the ssl. I found this document. It tell me to run the following command (down) in order to generate SSL certificate: apache2-ssl-certificate However when I run the command I get the message that there is no such command. I... (6 Replies)
Discussion started by: programAngel
6 Replies

6. Ubuntu

can't enable ssl in apache2 "Apache2 + openssl"

I have running apache2 and I want to enable ssl in my server for that I compile openssl without errorshttp://ubuntuforums.org/images/smilies/icon_lol.gif But when i start Apache it gives following error,,,,,,,http://ubuntuforums.org/images/smilies/confused.gif Code: ... (1 Reply)
Discussion started by: charith
1 Replies

7. Web Development

Apache2 Crashes

The Apache server suddenly stops. I am running Debian Jessie Here are some diagnostics: root@meow:/var/www# apachectl configtest AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress... (4 Replies)
Discussion started by: Meow613
4 Replies

8. Shell Programming and Scripting

SUEXEC with passwordless option

Hi, I am using the below command in suexec -u webuser /local/Tomcat7//0/tc7u/tomcat7.sh status But it prompts for the password of executing user. Let me know if any options available for passwordless or supplying password in script. (0 Replies)
Discussion started by: pravinbtech
0 Replies

LEARN ABOUT DEBIAN

gsexec

GSEXEC(8)							  GridSite Manual							 GSEXEC(8)

NAME

       gsexec - Switch user before executing external programs

SYNOPSIS

       gsexec [-V]

SUMMARY

       gsexec  is used by the Apache HTTP Server to switch to another user before executing CGI programs. In order to achieve this, it must run as
       root.  Since the HTTP daemon normally doesn't run as root, the gsexec executable needs the setuid bit set and must be  owned  by  root.	It
       should never be writable for any other person than root.

       gsexec  is  based  on Apache's suexec, and its behaviour is controlled with the Apache configuration file directives GridSiteExecMethod and
       GridSiteUserGroup added to Apache by mod_gridsite(8) Four execution methods are supported: nosetuid,  suexec,  X509DN  and  directory,  and
       these may be set on a per-directory basis within the Apache configuration file.

NOSETUID METHOD

       This is the default behaviour, but can also be produced by giving GridSiteExecMethod nosetuid

       CGI  programs will then be executed without using gsexec, and will run as the Unix user given by the User and Group Apache directives (nor-
       mally apache.apache on Red Hat derived systems.)

SUEXEC METHOD

       If GridSiteExecMethod suexec is given for this virtual host or directory, then CGI programs will be executed using the user and group given
       by  the	GridSiteUserGroup  user  group directive, which may also be set on a per-directory basis (unlike suexec's SuexecUserGroup which is
       per-server only.) The CGI program must either be owned by root, the  Apache  user  and  group  specified  at  gsexec  build-time  (normally
       apache.apache) or by the user and group given with the GridSiteUserGroup directive.

X509DN METHOD
       If  GridSiteExecMethod  X509DN is given, then the CGI program runs as a pool user, detemined using lock files in the exec mapping directory
       chosen as build time of gsexec.	The pool user is chosen according to the client's full certificate X.509 DN  (ie  with	any  trailing  GSI
       proxy  name  components stripped off.) Subsequent requests by the same X.509 identity will be mapped to the same pool user. The CGI program
       must either be owned by root, the Apache user and group specified at gsexec  build-time	(normally  apache.apache)  or  by  the	pool  user
       selected.

DIRECTORY METHOD

       If  GridSiteExecMethod  directory  is given, then the CGI program runs as a pool user chosen according to the directory in which the CGI is
       located: all CGIs in that directory run as the same pool user. The CGI program must either be owned by root,  the  Apache  user	and  group
       specified at gsexec build-time (normally apache.apache) or by the pool user selected.

EXECMAPDIR

       The default exec mapping directory is /var/www/execmapdir and this is fixed when the gsexec executable is built. The exec mapping directory
       and all of its lock files must be owned and only writable by root. To initialise the lock files, create an empty lock file  for	each  pool
       user,  with the pool username as the filename (eg user0001, user0002, ...) As the pool users are leased to X.509 identities or directories,
       they will become hard linked to lock files with the URL-encoded X.509 DN or full directory path.

       You can recycle pool users by removing the corresponding URL-encoded hard link.	stat(1) and ls(1) with option -i can be used to print  the
       inodes of lock files to match up the hard links.

       However, you must ensure that all files and processes owned by the pool user are deleted before recycling!

OPTIONS

       -V     If  you are root, this option displays the compile options of gsexec.  For security reasons all configuration options are changeable
	      only at compile time.

MORE INFORMATION

       For further information about the concepts and the security model of the original Apache suexec please refer to the suexec documentation:

       http://httpd.apache.org/docs-2.0/suexec.html

       For examples using the gsexec extensions, please see the GridSite gsexec page:

       http://www.gridsite.org/wiki/Gsexec

AUTHORS

       Apache project, for original suexec

       Andrew McNab <Andrew.McNab@manchester.ac.uk> for gsexec modifications.

       gsexec is part of GridSite: http://www.gridsite.org/

SEE ALSO

       httpd(8), suexec(8), mod_gridsite(8)

gsexec								   October 2005 							 GSEXEC(8)
All times are GMT -4. The time now is 03:09 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy