Suexec

From TrustixWiki

Contents 1 Apache Suexec 1.1 What is suexec? 1.2 How do I use suexec on a Trustix system? 1.3 Next add the AddHandler and ExecCGI directives 1.4 Create a test CGI in the public_html directory of the user 1.5 SuexecUserGroup directive 1.6 Troubleshooting

Apache Suexec

What is suexec?

'suexec' is feature of the Apache web server. It has two parts; a module compiled into Trustix Apache (mod_suexec) and it's a binary executable (/usr/sbin/suexec) that is called from the module when needed. Normally any CGI script is run as the user/group defined in /etc/httpd/conf/httpd.conf, which are set to user = httpd and group = httpd by Trustix.

By default with Apache, even if individuals want to run their own CGI's, the CGI's still run under the same user and group as the server. This can be bad if your want your own personal CGI to write to a file; anyone else with an account can also write a CGI that will read and write the data in your file.

With suexec though, when your script runs, it runs under your user id; therefore other user CGI's can no longer overwrite your files. Suexec can also be very bad, because now it means a CGI program potentially overwrite any file that you own! Caveat Emptor. (Change permissions to protect files, you say? Well, a CGI can run chmod too can't it?) The suexec module is compiled into TSL Apache. If the above comment scares you and you want to disable suexec for now, then get rid of /usr/sbin/suexec (I recommend you just rename it say for instance "suexec.DONT_RUN" so that you can restore it later.) Then restart Apache and it won't work anymore.

But for our purposes let's assume you want to use it.

How do I use suexec on a Trustix system?

There are 20 requirements for suexec to work. (Yes, really, 20.) The complete list can be found on the Apache suEXEC support page It took me about 4 hours to sort it out. Unfortunately, until you meet those requirements, the error messages are not very helpful. In the log file you will typically see an error claiming that you don't have ExecCGI? set, even very clearly you do! Once you get past that, you will see the dread "premature end of script" message.

What triggers suexec in the first place is either a UserDir? directive or an SunexecUserGroup? directive in your Apache configuration file. Userdir directive Get user directories going Uncomment the line in /etc/httpd/httpd.conf "UserDir? public_html" and the Directory section following it. Create a public_html directory in your personal home directory. Restart Apache ("apachectl restart"). You have now enabled personal web pages. To access yours, use an URL of the form http://localhost/~login/ where localhost is your system name and login is your account name.

Next add the AddHandler and ExecCGI directives

If you want to live life on the dangerous side, just uncomment the line "AddHandler? cgi-script .cgi" and add the ExecCGI? option to the Options line in the UserDir? directory. For example:

<Directory /home/*/public_html>
   AllowOverride FileInfo AuthConfig Limit
   Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI
   <Limit GET POST OPTIONS PROPFIND>
       Order allow,deny
       Allow from all
   </Limit>
   <LimitExcept? GET POST OPTIONS PROPFIND>
       Order deny,allow
       Deny from all
   </LimitExcept>
</Directory>

For a bit more security you can set up separate <Directory> entries in httpd.conf, to allow scripts only for the individual who wants to use them. Once you have done this, restart Apache again.

Create a test CGI in the public_html directory of the user

For instance
 cd ~/public_html
 cat > test.cgi
 echo "Content-Type: text/plain"
 echo ""
 date
 whoami
 ^D
 chmod 755 test.cgi
 chown owner.group test.cgi

If everything works correctly, you should be able to access http://localhost/~login/test.cgi and see the date and the name of your user in the browser window.

SuexecUserGroup directive

The SuexecUserGroup directive works with Apache virtual hosts. ADD MORE NOTES HERE!

Troubleshooting

There are settings compiled into the suexec binary. Running it with the -V option will show you what they are. Currently (TSL 2.2 / Apache 2.0.54) you will see this output:

-D AP_DOC_ROOT="/home/httpd"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="httpd"
-D AP_LOG_EXEC="/var/log/httpd/suexec_log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

Make sure the CGI script is owned by you (both user and group as listed in /etc/passwd) and that your user id and your group id are both greater than 100. Make sure that the interpreter (bash or perl or ?) lives in the SAFE_PATH listed.