<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
-<html><head>
-<title>Apache SetUserID Support</title>
-</head>
-
+<HTML>
+<HEAD>
+<TITLE>Apache suEXEC Support</TITLE>
+</HEAD>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<BODY
BGCOLOR="#FFFFFF"
ALINK="#FF0000"
>
<!--#include virtual="header.html" -->
-<h1 ALIGN="CENTER">Apache suEXEC Support</h1>
-
-<hr>
-
-<h3>What is suEXEC?</h3>
-The <STRONG>suEXEC</STRONG> feature, introduced in Apache 1.2 provides
-the ability to run <STRONG>CGI</STRONG> programs under user IDs
-different from the user ID of the calling web-server. Used properly,
-this feature can reduce considerably the insecurity of allowing users to
-run CGI programs. At the same time, improperly configured, this facility
-can crash your computer, burn your house down and steal all the money
-from your retirement fund. <STRONG>:-)</STRONG> If you aren't familiar
-with managing setuid root programs and the security issues they
-present, we highly recommend that you not consider using this feature.<p>
-
-<hr>
-
-<h3>Enabling suEXEC Support</h3>
-Having said all that, enabling this feature is purposefully difficult with
-the intent that it will only be installed by users determined to use it and
-is not part of the normal install/compile process.<p>
-
-<h3>Configuring the suEXEC wrapper</h3>
-From the top-level of the Apache source tree,
-type: <STRONG><code>cd support [ENTER]</code></STRONG><p>
+
+<H1 ALIGN="CENTER">Apache suEXEC Support</H1>
+
+<P ALIGN="LEFT">
+<OL>
+ <LH><BIG><STRONG>CONTENTS</STRONG></BIG></LH>
+ <LI><A HREF="#what">What is suEXEC?</A></LI>
+ <LI><A HREF="#before">Before we begin.</A></LI>
+ <LI><A HREF="#model">suEXEC Security Model.</A></LI>
+ <LI><A HREF="#install">Configuring & Installing suEXEC</A></LI>
+ <LI><A HREF="#enable">Enabling & Disabling suEXEC</A></LI>
+ <LI><A HREF="#debug">Debugging suEXEC</A></LI>
+ <LI><A HREF="#jabberwock">Beware the Jabberwock: Warnings & Examples</A></LI>
+</OL>
+</P>
+
+<H3><A NAME="what">What is suEXEC?</A></H3>
+<P ALIGN="LEFT">
+The <STRONG>suEXEC</STRONG> feature -- introduced in Apache 1.2 -- provides
+Apache users the ability to run <STRONG>CGI</STRONG> and <STRONG>SSI</STRONG>
+programs under user IDs different from the user ID of the calling web-server.
+Normally, when a CGI or SSI program executes, it runs as the same user who is
+running the web server.
+</P>
+
+<P ALIGN="LEFT">
+Used properly, this feature can reduce considerably the security risks involved
+with allowing users to develop and run private CGI or SSI programs. However,
+if suEXEC is improperly configured, it can cause any number of problems and
+possibly create new holes in your computer's security. If you aren't familiar
+with managing setuid root programs and the security issues they present, we
+highly recommend that you not consider using suEXEC.
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="before">Before we begin.</A></H3>
+<P ALIGN="LEFT">
+Before jumping head-first into this document, you should be aware of the
+assumptions made on the part of the Apache Group and this document.
+</P>
+
+<P ALIGN="LEFT">
+First, it is assumed that you are using a UNIX derivate operating system that
+is capable of <STRONG>setuid</STRONG> and <STRONG>setgid</STRONG> operations.
+All command examples are given in this regard. Other platforms, if they are
+capable of supporting suEXEC, may differ in their configuration.
+</P>
+
+<P ALIGN="LEFT">
+Second, it is assumed you are familiar with some basic concepts of your
+computer's security and its administration. This involves an understanding
+of <STRONG>setuid/setgid</STRONG> operations and the various effects they
+may have on your system and its level of security.
+</P>
+
+<P ALIGN="LEFT">
+Third, it is assumed that you are using an <STRONG>unmodified</STRONG>
+version of suEXEC code. All code for suEXEC has been carefully scrutinized and
+tested by the developers as well as numerous beta testers. Every precaution has
+been taken to ensure a simple yet solidly safe base of code. Altering this
+code can cause unexpected problems and new security risks. It is
+<STRONG>highly</STRONG> recommended you not alter the suEXEC code unless you
+are well versed in the particulars of security programming and are willing to
+share your work with the Apache Group for consideration.
+</P>
+
+<P ALIGN="LEFT">
+Fourth, and last, it has been the decision of the Apache Group to
+<STRONG>NOT</STRONG> make suEXEC part of the default installation of Apache.
+To this end, suEXEC configuration is a manual process requiring of the
+administrator careful attention to details. It is through this process
+that the Apache Group hopes to limit suEXEC installation only to those
+who are determined to use it.
+</P>
+
+<P ALIGN="LEFT">
+Still with us? Yes? Good. Let's move on!
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="model">suEXEC Security Model</A></H3>
+<P ALIGN="LEFT">
+Before we begin configuring and installing suEXEC, we will first discuss
+the security model you are about to implement. By doing so, you may
+better understand what exactly is going on inside suEXEC and what precautions
+are taken to ensure your system's security.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG>suEXEC</STRONG> is based on a setuid "wrapper" program that is
+called by the main Apache web server. This wrapper is called when an HTTP
+request is made for a CGI or SSI program that the administrator has designated
+to run as a userid other than that of the main server. When such a request
+is made, Apache provides the suEXEC wrapper with the program's name and the
+user and group IDs under which the program is to execute.
+</P>
+
+<P ALIGN="LEFT">
+The wrapper then employs the following process to determine success or
+failure -- if any one of these conditions fail, the program logs the failure
+and exits with an error, otherwise it will continue:
+ <OL>
+ <LI><STRONG>Was the wrapper called with the proper number of arguments?</STRONG>
+ <BLOCKQUOTE>
+ The wrapper will only execute if it is given the proper number of arguments.
+ The proper argument format is known to the Apache web server. If the wrapper
+ is not receiving the proper number of arguments, it is either being hacked, or
+ there is something wrong with the suEXEC portion of your Apache binary.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the user executing this wrapper a valid user of this system?</STRONG>
+ <BLOCKQUOTE>
+ This is to ensure that the user executing the wrapper is truly a user of the system.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is this valid user allowed to run the wrapper?</STRONG>
+ <BLOCKQUOTE>
+ Is this user the user allowed to run this wrapper? Only one user (the Apache
+ user) is allowed to execute this program.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the target program have an unsafe hierarchical reference?</STRONG>
+ <BLOCKQUOTE>
+ Does the target program contain a leading '/' or have a '..' backreference? These
+ are not allowed; the target program must reside within the Apache webspace.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user name valid?</STRONG>
+ <BLOCKQUOTE>
+ Does the target user exist?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target group name valid?</STRONG>
+ <BLOCKQUOTE>
+ Does the target group exist?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user <EM>NOT</EM> superuser?</STRONG>
+ <BLOCKQUOTE>
+ Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target userid <EM>ABOVE</EM> the minimum ID number?</STRONG>
+ <BLOCKQUOTE>
+ The minimum user ID number is specified during configuration. This allows you
+ to set the lowest possible userid that will be allowed to execute CGI/SSI programs.
+ This is useful to block out "system" accounts.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target group <EM>NOT</EM> the superuser group?</STRONG>
+ <BLOCKQUOTE>
+ Presently, suEXEC does not allow the 'root' group to execute CGI/SSI programs.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target groupid <EM>ABOVE</EM> the minimum ID number?</STRONG>
+ <BLOCKQUOTE>
+ The minimum group ID number is specified during configuration. This allows you
+ to set the lowest possible groupid that will be allowed to execute CGI/SSI programs.
+ This is useful to block out "system" groups.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can the wrapper successfully become the target user and group?</STRONG>
+ <BLOCKQUOTE>
+ Here is where the program becomes the target user and group via setuid and setgid
+ calls. The group access list is also initialized with all of the groups of which
+ the user is a member.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the directory in which the program resides exist?</STRONG>
+ <BLOCKQUOTE>
+ If it doesn't exist, it can't very well contain files.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the directory within the Apache webspace?</STRONG>
+ <BLOCKQUOTE>
+ If the request is for a regular portion of the server, is the requested directory
+ within the server's document root? If the request is for a UserDir, is the requested
+ directory within the user's document root?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the directory <EM>NOT</EM> writable by anyone else?</STRONG>
+ <BLOCKQUOTE>
+ We don't want to open up the directory to others; only the owner user may be able
+ to alter this directories contents.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the target program exist?</STRONG>
+ <BLOCKQUOTE>
+ If it doesn't exists, it can't very well be executed.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target program <EM>NOT</EM> writable by anyone else?</STRONG>
+ <BLOCKQUOTE>
+ We don't want to give anyone other than the owner the ability to change the program.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target program <EM>NOT</EM> setuid or setgid?</STRONG>
+ <BLOCKQUOTE>
+ We do not want to execute programs that will then change our UID/GID again.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user/group the same as the program's user/group?</STRONG>
+ <BLOCKQUOTE>
+ Is the user the owner of the file?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can we successfully clean the process environment to ensure safe operations?</STRONG>
+ <BLOCKQUOTE>
+ suEXEC cleans the process' environment by establishing a safe execution PATH (defined
+ during configuration), as well as only passing through those variables whose names
+ are listed in the safe environment list (also created during configuration).
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can we successfully become the target program and execute?</STRONG>
+ <BLOCKQUOTE>
+ Here is where suEXEC ends and the target program begins.
+ </BLOCKQUOTE>
+ </LI>
+ </OL>
+</P>
+
+<P ALIGN="LEFT">
+This is the standard operation of the the suEXEC wrapper's security model.
+It is somewhat stringent and can impose new limitations and guidelines for
+CGI/SSI design, but it was developed carefully step-by-step with security
+in mind.
+</P>
+
+<P ALIGN="LEFT">
+For more information as to how this security model can limit your possibilities
+in regards to server configuration, as well as what security risks can be avoided
+with a proper suEXEC setup, see the <A HREF="#beware">"Beware the Jabberwock"</A>
+section of this document.
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="install">Configuring & Installing suEXEC</A></H3>
+<P ALIGN="LEFT">
+Here's where we begin the fun. The configuration and installation of suEXEC is
+a four step process: edit the suEXEC header file, compile suEXEC, place the
+suEXEC binary in its proper location, and configure Apache for use with suEXEC.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG>EDITING THE SUEXEC HEADER FILE</STRONG><BR>
+- From the top-level of the Apache source tree, type:
+<STRONG><code>cd support [ENTER]</code></STRONG>
+</P>
+
+<P ALIGN="LEFT">
Edit the <code>suexec.h</code> file and change the following macros to
-match your local Apache installation.<p>
+match your local Apache installation.
+</P>
+
+<P ALIGN="LEFT">
<EM>From support/suexec.h</EM>
-<pre>
-/*
- * HTTPD_USER -- Define as the username under which Apache normally
- * runs. This is the only user allowed to execute
- * this program.
- */
-#define HTTPD_USER "www"
-
-/*
- * LOG_EXEC -- Define this as a filename if you want all suEXEC
- * transactions and errors logged for auditing and
- * debugging purposes.
- */
-#define LOG_EXEC "/usr/local/etc/httpd/logs/cgi.log"
-
-/*
- * DOC_ROOT -- Define as the DocumentRoot set for Apache. This
- * will be the only hierarchy (aside from UserDirs)
- * that can be used for suEXEC behavior.
- */
-#define DOC_ROOT "/usr/local/etc/httpd/htdocs"
-
-/*
- * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
- *
- */
-#define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
-</pre>
-
-<h3>Compiling the suEXEC wrapper</h3>
-At the shell command prompt, type: <STRONG><code>cc suexec.c
--o suexec [ENTER]</code></STRONG>.<p>
+<PRE>
+ /*
+ * HTTPD_USER -- Define as the username under which Apache normally
+ * runs. This is the only user allowed to execute
+ * this program.
+ */
+ #define HTTPD_USER "www"
+
+ /*
+ * UID_MIN -- Define this as the lowest UID allowed to be a target user
+ * for suEXEC. For most systems, 500 or 100 is common.
+ */
+ #define UID_MIN 100
+
+ /*
+ * GID_MIN -- Define this as the lowest GID allowed to be a target group
+ * for suEXEC. For most systems, 100 is common.
+ */
+ #define GID_MIN 100
+
+ /*
+ * USERDIR_SUFFIX -- Define to be the subdirectory under users'
+ * home directories where suEXEC access should
+ * be allowed. All executables under this directory
+ * will be executable by suEXEC as the user so
+ * they should be "safe" programs. If you are
+ * using a "simple" UserDir directive (ie. one
+ * without a "*" in it) this should be set to
+ * the same value. suEXEC will not work properly
+ * in cases where the UserDir directive points to
+ * a location that is not the same as the user's
+ * home directory as referenced in the passwd file.
+ *
+ * If you have VirtualHosts with a different
+ * UserDir for each, you will need to define them to
+ * all reside in one parent directory; then name that
+ * parent directory here. IF THIS IS NOT DEFINED
+ * PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK!
+ * See the suEXEC documentation for more detailed
+ * information.
+ */
+ #define USERDIR_SUFFIX "public_html"
+
+ /*
+ * LOG_EXEC -- Define this as a filename if you want all suEXEC
+ * transactions and errors logged for auditing and
+ * debugging purposes.
+ */
+ #define LOG_EXEC "/usr/local/etc/httpd/logs/cgi.log" /* Need me? */
+
+ /*
+ * DOC_ROOT -- Define as the DocumentRoot set for Apache. This
+ * will be the only hierarchy (aside from UserDirs)
+ * that can be used for suEXEC behavior.
+ */
+ #define DOC_ROOT "/usr/local/etc/httpd/htdocs"
+
+ /*
+ * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
+ *
+ */
+ #define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
+</PRE>
+</P>
+
+<P ALIGN="LEFT">
+<STRONG>COMPILING THE SUEXEC WRAPPER</STRONG><BR>
+You now need to compile the suEXEC wrapper. At the shell command prompt,
+type: <STRONG><CODE>cc suexec.c -o suexec [ENTER]</CODE></STRONG>.
This should create the <STRONG><em>suexec</em></STRONG> wrapper executable.
+</P>
-<h3>Compiling Apache for suEXEC support</h3>
+<P ALIGN="LEFT">
+<STRONG>COMPILING APACHE FOR USE WITH SUEXEC</STRONG><BR>
By default, Apache is compiled to look for the suEXEC wrapper in the following
-location.<p>
+location.
+</P>
+
+<P ALIGN="LEFT">
<EM>From src/httpd.h</EM>
-<pre>
-/* The path to the suEXEC wrapper */
-#ifndef SUEXEC_BIN
-#define SUEXEC_BIN "/usr/local/etc/httpd/sbin/suexec"
-#endif
-</pre>
-<p>
+<PRE>
+ /* The path to the suEXEC wrapper */
+ #define SUEXEC_BIN "/usr/local/etc/httpd/sbin/suexec"
+</PRE>
+</P>
+
+<P ALIGN="LEFT">
If your installation requires location of the wrapper program in a different
directory, edit src/httpd.h and recompile your Apache server.
-See <a href="install.html">Compiling and Installing Apache</a> for more
-info on this process.<p>
+See <A HREF="install.html">Compiling and Installing Apache</A> for more
+info on this process.
+</P>
-<h3>Installing the suEXEC wrapper</h3>
+<P ALIGN="LEFT">
+<STRONG>COPYING THE SUEXEC BINARY TO ITS PROPER LOCATION</STRONG><BR>
Copy the <STRONG><em>suexec</em></STRONG> executable created in the
-exercise above to the defined location for <STRONG>SUEXEC_BIN</STRONG>.<p>
-In order for the wrapper to set the user ID for execution requests it
-must me installed as owner <STRONG><em>root</em></STRONG> and must have
-the setuserid execution bit set for file modes.
-If you are not running a <STRONG><em>root</em></STRONG> user shell, do
-so now and execute the following commands.<p>
-
-<STRONG><code>chown root /usr/local/etc/httpd/sbin/suexec [ENTER]</code></STRONG><p>
-<STRONG><code>chmod 4711 /usr/local/etc/httpd/sbin/suexec [ENTER]</code></STRONG><p>
-
-<EM>Change the path to the suEXEC wrapper to match your system
-installation.</EM>
-
-<hr>
-
-<h3><a name="model">Security Model of suEXEC</a></h3>
-The <STRONG>suEXEC</STRONG> wrapper supplied with Apache performs the
-following security checks before it will execute any program passed to
-it for execution.
-<ol>
-<li>User executing the wrapper <STRONG>must be a valid user on this
- system</STRONG>.
-<li>User executing the wrapper <STRONG>must be the compiled in
- HTTPD_USER</STRONG>.
-<li>The command that the request wishes to execute <STRONG>must not
- contain a leading / or ../, or the string "/../" anywhere</STRONG>.
-<li>The command being executed <STRONG>must reside under the compiled in
- DOC_ROOT</STRONG>.
-<li>The current working directory <STRONG>must be a directory</STRONG>.
-<li>The current working directory <STRONG>must not be writable by
- <em>group</em> or <em>other</em></STRONG>.
-<li>The command being executed <STRONG>cannot be a symbolic link</STRONG>.
-<li>The command being executed <STRONG>cannot be writable by
- <em>group</em> or <em>other</em></STRONG>.
-<li>The command being executed <STRONG>cannot be a <em>setuid</em> or
- <em>setgid</em> program</STRONG>.
-<li>The target UID and GID <STRONG>must be a valid user and group on
- this system</STRONG>.
-<li>The target UID and GID to execute as, <STRONG>must match the UID and
- GID of the directory</STRONG>.
-<li>The target execution UID and GID <STRONG>must not be the privileged
- ID 0</STRONG>.
-</ol>
-If any of these issues are too restrictive, or do not seem restrictive
-enough, you are welcome to install your own version of the wrapper.
-We've given you the rope, now go have fun with it. <STRONG>:-)</STRONG>
-
-<hr>
-
-<h3>Using suEXEC</h3>
+exercise above to the defined location for <STRONG>SUEXEC_BIN</STRONG>.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG><CODE>cp suexec /usr/local/etc/httpd/sbin/suexec [ENTER]</CODE></STRONG>
+</P>
+
+<P ALIGN="LEFT">
+In order for the wrapper to set the user ID, it must me installed as owner
+<STRONG><em>root</em></STRONG> and must have the setuserid execution bit
+set for file modes. If you are not running a <STRONG><em>root</em></STRONG>
+user shell, do so now and execute the following commands.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG><CODE>chown root /usr/local/etc/httpd/sbin/suexec [ENTER]</CODE></STRONG><BR>
+<STRONG><CODE>chmod 4711 /usr/local/etc/httpd/sbin/suexec [ENTER]</CODE></STRONG>
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="enable">Enabling & Disabling suEXEC</A></H3>
+<P ALIGN="LEFT">
After properly installing the <STRONG>suexec</STRONG> wrapper
-executable, you must kill and restart the Apache server. A simple
-<code><STRONG>kill -1 `cat httpd.pid`</STRONG></code> will not be enough.
+executable, you must kill and restart the Apache server. A simple
+<STRONG><CODE>kill -1 `cat httpd.pid`</CODE></STRONG> will not be enough.
Upon startup of the web-server, if Apache finds a properly configured
<STRONG>suexec</STRONG> wrapper, it will print the following message to
-the console:<p>
+the console:
+</P>
-<code>Configuring Apache for use with suexec wrapper.</code><p>
+<P ALIGN="LEFT">
+<CODE>Configuring Apache for use with suexec wrapper.</CODE>
+</P>
+<P ALIGN="LEFT">
If you don't see this message at server startup, the server is most
likely not finding the wrapper program where it expects it, or the
-executable is not installed <STRONG><em>setuid root</em></STRONG>. Check
-your installation and try again.<p>
+executable is not installed <STRONG><EM>setuid root</EM></STRONG>. Check
+your installation and try again.
+</P>
+<P ALIGN="LEFT">
One way to use <STRONG>suEXEC</STRONG> is through the
<a href="mod/core.html#user"><STRONG>User</STRONG></a> and
<a href="mod/core.html#group"><STRONG>Group</STRONG></a> directives in
execution to be enabled for the user and that the script must meet the
scrutiny of the <a href="#model">security checks</a> above.
-<hr>
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
-<h3>Debugging suEXEC</h3>
+<H3><A NAME="debug">Debugging suEXEC</A></H3>
+<P ALIGN="LEFT">
The suEXEC wrapper will write log information to the location defined in
the <code>suexec.h</code> as indicated above. If you feel you have
-configured and installed the wrapper properly,
-have a look at this log and the error_log for the server to see where
-you may have gone astray.
-<!--#include virtual="footer.html" -->
+configured and installed the wrapper properly, have a look at this log
+and the error_log for the server to see where you may have gone astray.
+</P>
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="jabberwock">Beware the Jabberwock: Warnings & Examples</A></H3>
+<P ALIGN="LEFT">
+<STRONG>NOTE!</STRONG> This section may not be complete. For the latest
+revision of this section of the documentation, see the Apache Group's
+<A HREF="http://www.apache.org/docs/suexec.html">Online Documentation</A>
+version.
+</P>
+
+<P ALIGN="LEFT">
+There are a few points of interest regarding the wrapper that can cause
+limitations on server setup. Please review these before submitting any
+"bugs" regarding suEXEC.
+<UL>
+ <LH><STRONG>suEXEC Points Of Interest</STRONG></LH>
+ <LI>Hierarchy limitations
+ <BLOCKQUOTE>
+ For security and efficiency reasons, all suexec requests must
+ remain within either a top-level document root for virtual
+ host requests, or one top-level personal document root for
+ userdir requests. For example, if you have four VirtualHosts
+ configured, you would need to structure all of your VHosts'
+ document roots off of one main Apache document hierarchy to
+ take advantage of suEXEC for VirtualHosts. (Example forthcoming.)
+ </BLOCKQUOTE>
+ </LI>
+ <LI>suEXEC's PATH environment variable
+ <BLOCKQUOTE>
+ This can be a dangerous thing to change. Make certain every
+ path you include in this define is a <STRONG>trusted</STRONG>
+ directory. You don't want to open people up to having someone
+ from across the world running a trojan horse on them.
+ </BLOCKQUOTE>
+ </LI>
+ <LI>Altering the suEXEC code
+ <BLOCKQUOTE>
+ Again, this can cause <STRONG>Big Trouble</STRONG> if you try
+ this without knowing what you are doing. Stay away from it
+ if at all possible.
+ </BLOCKQUOTE>
+ </LI>
+</UL>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<!--#include virtual="footer.html" -->
</BODY>
</HTML>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
-<html><head>
-<title>Apache SetUserID Support</title>
-</head>
-
+<HTML>
+<HEAD>
+<TITLE>Apache suEXEC Support</TITLE>
+</HEAD>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<BODY
BGCOLOR="#FFFFFF"
ALINK="#FF0000"
>
<!--#include virtual="header.html" -->
-<h1 ALIGN="CENTER">Apache suEXEC Support</h1>
-
-<hr>
-
-<h3>What is suEXEC?</h3>
-The <STRONG>suEXEC</STRONG> feature, introduced in Apache 1.2 provides
-the ability to run <STRONG>CGI</STRONG> programs under user IDs
-different from the user ID of the calling web-server. Used properly,
-this feature can reduce considerably the insecurity of allowing users to
-run CGI programs. At the same time, improperly configured, this facility
-can crash your computer, burn your house down and steal all the money
-from your retirement fund. <STRONG>:-)</STRONG> If you aren't familiar
-with managing setuid root programs and the security issues they
-present, we highly recommend that you not consider using this feature.<p>
-
-<hr>
-
-<h3>Enabling suEXEC Support</h3>
-Having said all that, enabling this feature is purposefully difficult with
-the intent that it will only be installed by users determined to use it and
-is not part of the normal install/compile process.<p>
-
-<h3>Configuring the suEXEC wrapper</h3>
-From the top-level of the Apache source tree,
-type: <STRONG><code>cd support [ENTER]</code></STRONG><p>
+
+<H1 ALIGN="CENTER">Apache suEXEC Support</H1>
+
+<P ALIGN="LEFT">
+<OL>
+ <LH><BIG><STRONG>CONTENTS</STRONG></BIG></LH>
+ <LI><A HREF="#what">What is suEXEC?</A></LI>
+ <LI><A HREF="#before">Before we begin.</A></LI>
+ <LI><A HREF="#model">suEXEC Security Model.</A></LI>
+ <LI><A HREF="#install">Configuring & Installing suEXEC</A></LI>
+ <LI><A HREF="#enable">Enabling & Disabling suEXEC</A></LI>
+ <LI><A HREF="#debug">Debugging suEXEC</A></LI>
+ <LI><A HREF="#jabberwock">Beware the Jabberwock: Warnings & Examples</A></LI>
+</OL>
+</P>
+
+<H3><A NAME="what">What is suEXEC?</A></H3>
+<P ALIGN="LEFT">
+The <STRONG>suEXEC</STRONG> feature -- introduced in Apache 1.2 -- provides
+Apache users the ability to run <STRONG>CGI</STRONG> and <STRONG>SSI</STRONG>
+programs under user IDs different from the user ID of the calling web-server.
+Normally, when a CGI or SSI program executes, it runs as the same user who is
+running the web server.
+</P>
+
+<P ALIGN="LEFT">
+Used properly, this feature can reduce considerably the security risks involved
+with allowing users to develop and run private CGI or SSI programs. However,
+if suEXEC is improperly configured, it can cause any number of problems and
+possibly create new holes in your computer's security. If you aren't familiar
+with managing setuid root programs and the security issues they present, we
+highly recommend that you not consider using suEXEC.
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="before">Before we begin.</A></H3>
+<P ALIGN="LEFT">
+Before jumping head-first into this document, you should be aware of the
+assumptions made on the part of the Apache Group and this document.
+</P>
+
+<P ALIGN="LEFT">
+First, it is assumed that you are using a UNIX derivate operating system that
+is capable of <STRONG>setuid</STRONG> and <STRONG>setgid</STRONG> operations.
+All command examples are given in this regard. Other platforms, if they are
+capable of supporting suEXEC, may differ in their configuration.
+</P>
+
+<P ALIGN="LEFT">
+Second, it is assumed you are familiar with some basic concepts of your
+computer's security and its administration. This involves an understanding
+of <STRONG>setuid/setgid</STRONG> operations and the various effects they
+may have on your system and its level of security.
+</P>
+
+<P ALIGN="LEFT">
+Third, it is assumed that you are using an <STRONG>unmodified</STRONG>
+version of suEXEC code. All code for suEXEC has been carefully scrutinized and
+tested by the developers as well as numerous beta testers. Every precaution has
+been taken to ensure a simple yet solidly safe base of code. Altering this
+code can cause unexpected problems and new security risks. It is
+<STRONG>highly</STRONG> recommended you not alter the suEXEC code unless you
+are well versed in the particulars of security programming and are willing to
+share your work with the Apache Group for consideration.
+</P>
+
+<P ALIGN="LEFT">
+Fourth, and last, it has been the decision of the Apache Group to
+<STRONG>NOT</STRONG> make suEXEC part of the default installation of Apache.
+To this end, suEXEC configuration is a manual process requiring of the
+administrator careful attention to details. It is through this process
+that the Apache Group hopes to limit suEXEC installation only to those
+who are determined to use it.
+</P>
+
+<P ALIGN="LEFT">
+Still with us? Yes? Good. Let's move on!
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="model">suEXEC Security Model</A></H3>
+<P ALIGN="LEFT">
+Before we begin configuring and installing suEXEC, we will first discuss
+the security model you are about to implement. By doing so, you may
+better understand what exactly is going on inside suEXEC and what precautions
+are taken to ensure your system's security.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG>suEXEC</STRONG> is based on a setuid "wrapper" program that is
+called by the main Apache web server. This wrapper is called when an HTTP
+request is made for a CGI or SSI program that the administrator has designated
+to run as a userid other than that of the main server. When such a request
+is made, Apache provides the suEXEC wrapper with the program's name and the
+user and group IDs under which the program is to execute.
+</P>
+
+<P ALIGN="LEFT">
+The wrapper then employs the following process to determine success or
+failure -- if any one of these conditions fail, the program logs the failure
+and exits with an error, otherwise it will continue:
+ <OL>
+ <LI><STRONG>Was the wrapper called with the proper number of arguments?</STRONG>
+ <BLOCKQUOTE>
+ The wrapper will only execute if it is given the proper number of arguments.
+ The proper argument format is known to the Apache web server. If the wrapper
+ is not receiving the proper number of arguments, it is either being hacked, or
+ there is something wrong with the suEXEC portion of your Apache binary.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the user executing this wrapper a valid user of this system?</STRONG>
+ <BLOCKQUOTE>
+ This is to ensure that the user executing the wrapper is truly a user of the system.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is this valid user allowed to run the wrapper?</STRONG>
+ <BLOCKQUOTE>
+ Is this user the user allowed to run this wrapper? Only one user (the Apache
+ user) is allowed to execute this program.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the target program have an unsafe hierarchical reference?</STRONG>
+ <BLOCKQUOTE>
+ Does the target program contain a leading '/' or have a '..' backreference? These
+ are not allowed; the target program must reside within the Apache webspace.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user name valid?</STRONG>
+ <BLOCKQUOTE>
+ Does the target user exist?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target group name valid?</STRONG>
+ <BLOCKQUOTE>
+ Does the target group exist?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user <EM>NOT</EM> superuser?</STRONG>
+ <BLOCKQUOTE>
+ Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target userid <EM>ABOVE</EM> the minimum ID number?</STRONG>
+ <BLOCKQUOTE>
+ The minimum user ID number is specified during configuration. This allows you
+ to set the lowest possible userid that will be allowed to execute CGI/SSI programs.
+ This is useful to block out "system" accounts.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target group <EM>NOT</EM> the superuser group?</STRONG>
+ <BLOCKQUOTE>
+ Presently, suEXEC does not allow the 'root' group to execute CGI/SSI programs.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target groupid <EM>ABOVE</EM> the minimum ID number?</STRONG>
+ <BLOCKQUOTE>
+ The minimum group ID number is specified during configuration. This allows you
+ to set the lowest possible groupid that will be allowed to execute CGI/SSI programs.
+ This is useful to block out "system" groups.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can the wrapper successfully become the target user and group?</STRONG>
+ <BLOCKQUOTE>
+ Here is where the program becomes the target user and group via setuid and setgid
+ calls. The group access list is also initialized with all of the groups of which
+ the user is a member.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the directory in which the program resides exist?</STRONG>
+ <BLOCKQUOTE>
+ If it doesn't exist, it can't very well contain files.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the directory within the Apache webspace?</STRONG>
+ <BLOCKQUOTE>
+ If the request is for a regular portion of the server, is the requested directory
+ within the server's document root? If the request is for a UserDir, is the requested
+ directory within the user's document root?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the directory <EM>NOT</EM> writable by anyone else?</STRONG>
+ <BLOCKQUOTE>
+ We don't want to open up the directory to others; only the owner user may be able
+ to alter this directories contents.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the target program exist?</STRONG>
+ <BLOCKQUOTE>
+ If it doesn't exists, it can't very well be executed.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target program <EM>NOT</EM> writable by anyone else?</STRONG>
+ <BLOCKQUOTE>
+ We don't want to give anyone other than the owner the ability to change the program.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target program <EM>NOT</EM> setuid or setgid?</STRONG>
+ <BLOCKQUOTE>
+ We do not want to execute programs that will then change our UID/GID again.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user/group the same as the program's user/group?</STRONG>
+ <BLOCKQUOTE>
+ Is the user the owner of the file?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can we successfully clean the process environment to ensure safe operations?</STRONG>
+ <BLOCKQUOTE>
+ suEXEC cleans the process' environment by establishing a safe execution PATH (defined
+ during configuration), as well as only passing through those variables whose names
+ are listed in the safe environment list (also created during configuration).
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can we successfully become the target program and execute?</STRONG>
+ <BLOCKQUOTE>
+ Here is where suEXEC ends and the target program begins.
+ </BLOCKQUOTE>
+ </LI>
+ </OL>
+</P>
+
+<P ALIGN="LEFT">
+This is the standard operation of the the suEXEC wrapper's security model.
+It is somewhat stringent and can impose new limitations and guidelines for
+CGI/SSI design, but it was developed carefully step-by-step with security
+in mind.
+</P>
+
+<P ALIGN="LEFT">
+For more information as to how this security model can limit your possibilities
+in regards to server configuration, as well as what security risks can be avoided
+with a proper suEXEC setup, see the <A HREF="#beware">"Beware the Jabberwock"</A>
+section of this document.
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="install">Configuring & Installing suEXEC</A></H3>
+<P ALIGN="LEFT">
+Here's where we begin the fun. The configuration and installation of suEXEC is
+a four step process: edit the suEXEC header file, compile suEXEC, place the
+suEXEC binary in its proper location, and configure Apache for use with suEXEC.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG>EDITING THE SUEXEC HEADER FILE</STRONG><BR>
+- From the top-level of the Apache source tree, type:
+<STRONG><code>cd support [ENTER]</code></STRONG>
+</P>
+
+<P ALIGN="LEFT">
Edit the <code>suexec.h</code> file and change the following macros to
-match your local Apache installation.<p>
+match your local Apache installation.
+</P>
+
+<P ALIGN="LEFT">
<EM>From support/suexec.h</EM>
-<pre>
-/*
- * HTTPD_USER -- Define as the username under which Apache normally
- * runs. This is the only user allowed to execute
- * this program.
- */
-#define HTTPD_USER "www"
-
-/*
- * LOG_EXEC -- Define this as a filename if you want all suEXEC
- * transactions and errors logged for auditing and
- * debugging purposes.
- */
-#define LOG_EXEC "/usr/local/etc/httpd/logs/cgi.log"
-
-/*
- * DOC_ROOT -- Define as the DocumentRoot set for Apache. This
- * will be the only hierarchy (aside from UserDirs)
- * that can be used for suEXEC behavior.
- */
-#define DOC_ROOT "/usr/local/etc/httpd/htdocs"
-
-/*
- * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
- *
- */
-#define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
-</pre>
-
-<h3>Compiling the suEXEC wrapper</h3>
-At the shell command prompt, type: <STRONG><code>cc suexec.c
--o suexec [ENTER]</code></STRONG>.<p>
+<PRE>
+ /*
+ * HTTPD_USER -- Define as the username under which Apache normally
+ * runs. This is the only user allowed to execute
+ * this program.
+ */
+ #define HTTPD_USER "www"
+
+ /*
+ * UID_MIN -- Define this as the lowest UID allowed to be a target user
+ * for suEXEC. For most systems, 500 or 100 is common.
+ */
+ #define UID_MIN 100
+
+ /*
+ * GID_MIN -- Define this as the lowest GID allowed to be a target group
+ * for suEXEC. For most systems, 100 is common.
+ */
+ #define GID_MIN 100
+
+ /*
+ * USERDIR_SUFFIX -- Define to be the subdirectory under users'
+ * home directories where suEXEC access should
+ * be allowed. All executables under this directory
+ * will be executable by suEXEC as the user so
+ * they should be "safe" programs. If you are
+ * using a "simple" UserDir directive (ie. one
+ * without a "*" in it) this should be set to
+ * the same value. suEXEC will not work properly
+ * in cases where the UserDir directive points to
+ * a location that is not the same as the user's
+ * home directory as referenced in the passwd file.
+ *
+ * If you have VirtualHosts with a different
+ * UserDir for each, you will need to define them to
+ * all reside in one parent directory; then name that
+ * parent directory here. IF THIS IS NOT DEFINED
+ * PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK!
+ * See the suEXEC documentation for more detailed
+ * information.
+ */
+ #define USERDIR_SUFFIX "public_html"
+
+ /*
+ * LOG_EXEC -- Define this as a filename if you want all suEXEC
+ * transactions and errors logged for auditing and
+ * debugging purposes.
+ */
+ #define LOG_EXEC "/usr/local/etc/httpd/logs/cgi.log" /* Need me? */
+
+ /*
+ * DOC_ROOT -- Define as the DocumentRoot set for Apache. This
+ * will be the only hierarchy (aside from UserDirs)
+ * that can be used for suEXEC behavior.
+ */
+ #define DOC_ROOT "/usr/local/etc/httpd/htdocs"
+
+ /*
+ * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
+ *
+ */
+ #define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
+</PRE>
+</P>
+
+<P ALIGN="LEFT">
+<STRONG>COMPILING THE SUEXEC WRAPPER</STRONG><BR>
+You now need to compile the suEXEC wrapper. At the shell command prompt,
+type: <STRONG><CODE>cc suexec.c -o suexec [ENTER]</CODE></STRONG>.
This should create the <STRONG><em>suexec</em></STRONG> wrapper executable.
+</P>
-<h3>Compiling Apache for suEXEC support</h3>
+<P ALIGN="LEFT">
+<STRONG>COMPILING APACHE FOR USE WITH SUEXEC</STRONG><BR>
By default, Apache is compiled to look for the suEXEC wrapper in the following
-location.<p>
+location.
+</P>
+
+<P ALIGN="LEFT">
<EM>From src/httpd.h</EM>
-<pre>
-/* The path to the suEXEC wrapper */
-#ifndef SUEXEC_BIN
-#define SUEXEC_BIN "/usr/local/etc/httpd/sbin/suexec"
-#endif
-</pre>
-<p>
+<PRE>
+ /* The path to the suEXEC wrapper */
+ #define SUEXEC_BIN "/usr/local/etc/httpd/sbin/suexec"
+</PRE>
+</P>
+
+<P ALIGN="LEFT">
If your installation requires location of the wrapper program in a different
directory, edit src/httpd.h and recompile your Apache server.
-See <a href="install.html">Compiling and Installing Apache</a> for more
-info on this process.<p>
+See <A HREF="install.html">Compiling and Installing Apache</A> for more
+info on this process.
+</P>
-<h3>Installing the suEXEC wrapper</h3>
+<P ALIGN="LEFT">
+<STRONG>COPYING THE SUEXEC BINARY TO ITS PROPER LOCATION</STRONG><BR>
Copy the <STRONG><em>suexec</em></STRONG> executable created in the
-exercise above to the defined location for <STRONG>SUEXEC_BIN</STRONG>.<p>
-In order for the wrapper to set the user ID for execution requests it
-must me installed as owner <STRONG><em>root</em></STRONG> and must have
-the setuserid execution bit set for file modes.
-If you are not running a <STRONG><em>root</em></STRONG> user shell, do
-so now and execute the following commands.<p>
-
-<STRONG><code>chown root /usr/local/etc/httpd/sbin/suexec [ENTER]</code></STRONG><p>
-<STRONG><code>chmod 4711 /usr/local/etc/httpd/sbin/suexec [ENTER]</code></STRONG><p>
-
-<EM>Change the path to the suEXEC wrapper to match your system
-installation.</EM>
-
-<hr>
-
-<h3><a name="model">Security Model of suEXEC</a></h3>
-The <STRONG>suEXEC</STRONG> wrapper supplied with Apache performs the
-following security checks before it will execute any program passed to
-it for execution.
-<ol>
-<li>User executing the wrapper <STRONG>must be a valid user on this
- system</STRONG>.
-<li>User executing the wrapper <STRONG>must be the compiled in
- HTTPD_USER</STRONG>.
-<li>The command that the request wishes to execute <STRONG>must not
- contain a leading / or ../, or the string "/../" anywhere</STRONG>.
-<li>The command being executed <STRONG>must reside under the compiled in
- DOC_ROOT</STRONG>.
-<li>The current working directory <STRONG>must be a directory</STRONG>.
-<li>The current working directory <STRONG>must not be writable by
- <em>group</em> or <em>other</em></STRONG>.
-<li>The command being executed <STRONG>cannot be a symbolic link</STRONG>.
-<li>The command being executed <STRONG>cannot be writable by
- <em>group</em> or <em>other</em></STRONG>.
-<li>The command being executed <STRONG>cannot be a <em>setuid</em> or
- <em>setgid</em> program</STRONG>.
-<li>The target UID and GID <STRONG>must be a valid user and group on
- this system</STRONG>.
-<li>The target UID and GID to execute as, <STRONG>must match the UID and
- GID of the directory</STRONG>.
-<li>The target execution UID and GID <STRONG>must not be the privileged
- ID 0</STRONG>.
-</ol>
-If any of these issues are too restrictive, or do not seem restrictive
-enough, you are welcome to install your own version of the wrapper.
-We've given you the rope, now go have fun with it. <STRONG>:-)</STRONG>
-
-<hr>
-
-<h3>Using suEXEC</h3>
+exercise above to the defined location for <STRONG>SUEXEC_BIN</STRONG>.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG><CODE>cp suexec /usr/local/etc/httpd/sbin/suexec [ENTER]</CODE></STRONG>
+</P>
+
+<P ALIGN="LEFT">
+In order for the wrapper to set the user ID, it must me installed as owner
+<STRONG><em>root</em></STRONG> and must have the setuserid execution bit
+set for file modes. If you are not running a <STRONG><em>root</em></STRONG>
+user shell, do so now and execute the following commands.
+</P>
+
+<P ALIGN="LEFT">
+<STRONG><CODE>chown root /usr/local/etc/httpd/sbin/suexec [ENTER]</CODE></STRONG><BR>
+<STRONG><CODE>chmod 4711 /usr/local/etc/httpd/sbin/suexec [ENTER]</CODE></STRONG>
+</P>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="enable">Enabling & Disabling suEXEC</A></H3>
+<P ALIGN="LEFT">
After properly installing the <STRONG>suexec</STRONG> wrapper
-executable, you must kill and restart the Apache server. A simple
-<code><STRONG>kill -1 `cat httpd.pid`</STRONG></code> will not be enough.
+executable, you must kill and restart the Apache server. A simple
+<STRONG><CODE>kill -1 `cat httpd.pid`</CODE></STRONG> will not be enough.
Upon startup of the web-server, if Apache finds a properly configured
<STRONG>suexec</STRONG> wrapper, it will print the following message to
-the console:<p>
+the console:
+</P>
-<code>Configuring Apache for use with suexec wrapper.</code><p>
+<P ALIGN="LEFT">
+<CODE>Configuring Apache for use with suexec wrapper.</CODE>
+</P>
+<P ALIGN="LEFT">
If you don't see this message at server startup, the server is most
likely not finding the wrapper program where it expects it, or the
-executable is not installed <STRONG><em>setuid root</em></STRONG>. Check
-your installation and try again.<p>
+executable is not installed <STRONG><EM>setuid root</EM></STRONG>. Check
+your installation and try again.
+</P>
+<P ALIGN="LEFT">
One way to use <STRONG>suEXEC</STRONG> is through the
<a href="mod/core.html#user"><STRONG>User</STRONG></a> and
<a href="mod/core.html#group"><STRONG>Group</STRONG></a> directives in
execution to be enabled for the user and that the script must meet the
scrutiny of the <a href="#model">security checks</a> above.
-<hr>
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
-<h3>Debugging suEXEC</h3>
+<H3><A NAME="debug">Debugging suEXEC</A></H3>
+<P ALIGN="LEFT">
The suEXEC wrapper will write log information to the location defined in
the <code>suexec.h</code> as indicated above. If you feel you have
-configured and installed the wrapper properly,
-have a look at this log and the error_log for the server to see where
-you may have gone astray.
-<!--#include virtual="footer.html" -->
+configured and installed the wrapper properly, have a look at this log
+and the error_log for the server to see where you may have gone astray.
+</P>
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<H3><A NAME="jabberwock">Beware the Jabberwock: Warnings & Examples</A></H3>
+<P ALIGN="LEFT">
+<STRONG>NOTE!</STRONG> This section may not be complete. For the latest
+revision of this section of the documentation, see the Apache Group's
+<A HREF="http://www.apache.org/docs/suexec.html">Online Documentation</A>
+version.
+</P>
+
+<P ALIGN="LEFT">
+There are a few points of interest regarding the wrapper that can cause
+limitations on server setup. Please review these before submitting any
+"bugs" regarding suEXEC.
+<UL>
+ <LH><STRONG>suEXEC Points Of Interest</STRONG></LH>
+ <LI>Hierarchy limitations
+ <BLOCKQUOTE>
+ For security and efficiency reasons, all suexec requests must
+ remain within either a top-level document root for virtual
+ host requests, or one top-level personal document root for
+ userdir requests. For example, if you have four VirtualHosts
+ configured, you would need to structure all of your VHosts'
+ document roots off of one main Apache document hierarchy to
+ take advantage of suEXEC for VirtualHosts. (Example forthcoming.)
+ </BLOCKQUOTE>
+ </LI>
+ <LI>suEXEC's PATH environment variable
+ <BLOCKQUOTE>
+ This can be a dangerous thing to change. Make certain every
+ path you include in this define is a <STRONG>trusted</STRONG>
+ directory. You don't want to open people up to having someone
+ from across the world running a trojan horse on them.
+ </BLOCKQUOTE>
+ </LI>
+ <LI>Altering the suEXEC code
+ <BLOCKQUOTE>
+ Again, this can cause <STRONG>Big Trouble</STRONG> if you try
+ this without knowing what you are doing. Stay away from it
+ if at all possible.
+ </BLOCKQUOTE>
+ </LI>
+</UL>
+
+<P ALIGN="CENTER">
+<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
+</P>
+
+<!--#include virtual="footer.html" -->
</BODY>
</HTML>
projects / thirdparty / apache / httpd.git / commitdiff
