|
|
Sponsored Content
Top Forums
UNIX for Dummies Questions & Answers
Suexec solution
Post 60506 by google on Tuesday 18th of January 2005 07:14:19 AM
01-18-2005
Ok. let me first say that I really dont know much about suExec other than what I just read. However, the links that I posted provide ample information regarding compiling, testing, and using suExec. It would be much more helpful if you would post information back as you encounter issues with your installation. I think then you may get a better experience from this message board 
(by the way, it really is a great board with lots of talented individuals. Have some patience and follow a step wise approach to your problem and you will be able to overcome it) Based on that however, before anyone can really help you, you must first provide some more information. Such as:
1. What have you done so far other than write the Perl program you posted? What can you tell us about your Apache configuration?
2. Has suExec been compiled with the correct configuration options? If not, see the link that I posted above and it will provide information regarding how to configure suExec.
3. suExec works from user/group/virtual host directives that you define when you compile suExec. You must have compiled these options into your suExec binary.
Note about compiling
Testing your configuration
(by the way, it really is a great board with lots of talented individuals. Have some patience and follow a step wise approach to your problem and you will be able to overcome it) Based on that however, before anyone can really help you, you must first provide some more information. Such as:1. What have you done so far other than write the Perl program you posted? What can you tell us about your Apache configuration?
2. Has suExec been compiled with the correct configuration options? If not, see the link that I posted above and it will provide information regarding how to configure suExec.
3. suExec works from user/group/virtual host directives that you define when you compile suExec. You must have compiled these options into your suExec binary.
Note about compiling
Quote:
Because most of suexec's control parameters are defined at compile-time, the only way to change them is to recompile it. And since the wrapper works very closely with the Apache Web server -- to the point of both applications having to share some compile-time definitions -- the way to recompile suexec is to recompile all of Apache. If you've never done this before, you can see a brief treatment of the process in the Building Apache At Lightspeed appendix of this article.
Quote:
The simplest way to verify that suexec is functioning properly is to install a script that will tell you the username under which it's being invoked.
# cd /usr/local/web/apache/cgi-bin/
# cat > showuser.cgi << EOS
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Username="\`whoami\`
EOS
# chmod 755 showuser.cgi
# chown user1.group1 . ./showuser.cgi
(By calling it "showuser.cgi" you can copy it directly into a user's directory without having to rename it. Filename extensions on scripts in ScriptAliased directories are ignored, so it does no harm to keep the .cgi extension.)
Note that the cgi-bin/ directory isn't under the DocumentRoot, which is why the --suexec-docroot value was bumped up one level -- that way it covers both the ServerRoot (including the cgi-bin/ directory) and the DocumentRoot.
Since there are two ways in which suexec can be invoked, you should test both of them: Server-wide suexecution & User directory suexecution
# cd /usr/local/web/apache/cgi-bin/
# cat > showuser.cgi << EOS
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Username="\`whoami\`
EOS
# chmod 755 showuser.cgi
# chown user1.group1 . ./showuser.cgi
(By calling it "showuser.cgi" you can copy it directly into a user's directory without having to rename it. Filename extensions on scripts in ScriptAliased directories are ignored, so it does no harm to keep the .cgi extension.)
Note that the cgi-bin/ directory isn't under the DocumentRoot, which is why the --suexec-docroot value was bumped up one level -- that way it covers both the ServerRoot (including the cgi-bin/ directory) and the DocumentRoot.
Since there are two ways in which suexec can be invoked, you should test both of them: Server-wide suexecution & User directory suexecution
Last edited by google; 01-18-2005 at 08:22 AM..
|
|
4 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
I compiled apache 1.3.33 with suexec support like
./configure \
"--with-layout=Apache" \
"--prefix=/usr/local/apache" \
"--enable-module=ssl" \
"--activate-module=src/modules/php4/libphp4.a" \
"--activate-module=src/modules/perl/libperl.a" \
"--enable-module=perl" \
"--enable-module=most"... (0 Replies)
Discussion started by: hassan1
0 Replies
2. UNIX for Advanced & Expert Users
Hi all,
I am trying to setup apache w/ suexec to avoid permission problems w/ apache user and website user and also to be able to run a second (test) domain on the same server.
So far I got fcgi w/o suexec running perfectly (logs confirm that). But as soon as I enable the suexec statement in the... (0 Replies)
Discussion started by: harrstar
0 Replies
3. UNIX for Dummies Questions & Answers
Hello guys
I'm trying to use Suexec in my computer. I've installed apache with default settings (so Suexec is installed with my emerge Apache , Gentoo) .
My settings on /etc/conf.d/apache2
# SUEXEC Enables running CGI scripts (in USERDIR) through suexec.
# USERDIR Enables /~username... (1 Reply)
Discussion started by: kernings
1 Replies
4. Shell Programming and Scripting
Hi,
I am using the below command in
suexec -u webuser /local/Tomcat7//0/tc7u/tomcat7.sh status
But it prompts for the password of executing user.
Let me know if any options available for passwordless or supplying password in script. (0 Replies)
Discussion started by: pravinbtech
0 Replies
LEARN ABOUT LINUX
mod_apparmor
MOD_APPARMOR(8) AppArmor MOD_APPARMOR(8) NAME
mod_apparmor - fine-grained AppArmor confinement for Apache DESCRIPTION
An AppArmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions, the program can "change hats" via aa_change_hat(2) to a different role, also known as a subprofile. The mod_apparmor Apache module uses the aa_change_hat(2) mechanism to offer more fine-grained confinement of dynamic elements within Apache such as individual php and perl scripts, while still allowing the performance benefits of using mod_php and mod_perl. To use mod_apparmor with Apache, ensure that mod_apparmor is configured to be loaded into Apache, either via a2enmod, yast or manual editing of the apache2(8)/httpd(8) configuration files, and restart Apache. Make sure that apparmor is also functioning. Once mod_apparmor is loaded within Apache, all requests to Apache will cause mod_apparmor to attempt to change into a hat named by the URI (e.g. /app/some.cgi). If no such hat is found, it will fall back to attempting to use the hat DEFAULT_URI; if that also does not exist, it will fall back to using the global Apache profile. Most static web pages can simply make use of the DEFAULT_URI hat. Additionally, before any requests come in to Apache, mod_apparmor will attempt to change hat into the HANDLING_UNTRUSTED_INPUT hat. mod_apparmor will attempt to use this hat while Apache is doing the initial parsing of a given http request, before its given to a specific handler (like mod_php) for processing. Because defining hats for every URI/URL often becomes tedious, mod_apparmor provides the AAHatName and AADefaultHatName Apache configuration options. AAHatName AAHatName allows you to specify a hat to be used for a given Apache <Directory>, <DirectoryMatch>, <Location> or <LocationMatch> directive (see the Apache documenation for more details). Note that mod_apparmor behavior can become confused if <Directory*> and <Location*> directives are intermingled and it is recommended to use one type of directive. If the hat specified by AAHatName does not exist in the Apache profile, then it falls back to the behavior described above. AADefaultHatName AADefaultHatName allows you to specify a default hat to be used for virtual hosts and other Apache server directives, so that you can have different defaults for different virtual hosts. This can be overridden by the AAHatName directive and is checked for only if there isn't a matching AAHatName or hat named by the URI. If the AADefaultHatName hat does not exist, it falls back to the DEFAULT_URI hat if it exists (as described above). URI REQUEST SUMMARY
When profiling with mod_apparmor, it is helpful to keep the following order of operations in mind: On each URI request, mod_apparmor will first aa_change_hat(2) into ^HANDLING_UNTRUSTED_INPUT, if it exists. Then, after performing the initial parsing of the request, mod_apparmor will: 1. try to aa_change_hat(2) into a matching AAHatName hat if it exists and applies, otherwise it will 2. try to aa_change_hat(2) into the URI itself, otherwise it will 3. try to aa_change_hat(2) into an AADefaultHatName hat if it has been defined for the server/vhost, otherwise it will 4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it will 5. fall back to the global Apache policy BUGS
mod_apparmor() currently only supports apache2, and has only been tested with the prefork MPM configuration -- threaded configurations of Apache may not work correctly. There are likely other bugs lurking about; if you find any, please report them at <http://https://bugs.launchpad.net/apparmor/+filebug>. SEE ALSO
apparmor(7), subdomain.conf(5), apparmor_parser(8), aa_change_hat(2) and <http://wiki.apparmor.net>. AppArmor 2.7.103 2012-06-28 MOD_APPARMOR(8)