ProblemYou want to have CGI programs executed by some user other than nobody. For example, you may have a database that is not accessible to anyone except a particular user, so the server needs to temporarily assume that user's identity to access it. SolutionWhen building Apache, enable suexec by passing the enable-suexec argument to configure. Then, in a virtual host section, specify which user and group you'd like to use to run CGI programs: User rbowen Group users Also, suexec will be invoked for any CGI programs run out of username-type URLs for the affected virtual host. DiscussionThe suexec wrapper is a suid (runs as the user ID of the user that owns the file) program that allows you to run CGI programs as any user you specify, rather than as the nobody user which Apache runs as. suexec is a standard part of Apache and is enabled by default.
When suexec is installed, there are two different ways that it can be invoked, as shown in the Solution. A User and Group directive may be specified in a VirtualHost container, and all CGI programs executed within the context of that virtual host are executed as that user and group. Note that this only applies to CGI programs. Documents are still accessed as the user and group specified in the User and Group directives in the main server configuration, not those in the virtual host, and need to be readable by that user and group. Second, any CGI program run out of a UserDir directory is run with the permissions of the owner of that directory. That is, if a CGI program is accessed via the URL http://example.com/~rbowen/cgi-bin/test.cgi, then that program will be executed, via suexec, with a userid of rbowen, and a groupid of rbowen's primary group.
Running CGI programs via suexec eliminates some of the security concerns surrounding CGI programs. By default, CGI programs run with the permissions of the user and group specified in the User and Group directives, meaning that they have rather limited ability to do any damage. However, it also means that CGI programs on one part of your web server run with all the same permissions as those on another part of your server, and any files that are created or modified by one will be modifiable by another. By running a CGI program under suexec, you allow each user to exercise a little more control over her own file permissions, and in the event that a malicious CGI program is written, it can only damage the files owned by the user in question, rather than having free rein over the entire web server. In Apache 2.0, the perchild MPM may largely do away with the need for suexec, but, as of this writing, perchild does not work correctly. PHP scripts that are run as CGI programs, rather than under the mod_php handler, may be run as suexec processes in the same way as any other CGI program. See Also
|