Suexec

From Linux Tools

Jump to: navigation, search

Apache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user - normally, all web server processes run as the default web server user (often apache or nobody). The suEXEC feature consists of a module for the web server and a binary executable which acts as a wrapper. If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.

I will give an example :

User "alice" has a website including some CGI scripts in her own public_html folder, which can be accessed by http://server/~alice.

Bob now wants to access some CGI script. So instead of running all scripts as "nobody" (which results in the need that all scripts have to be readable and executable for the "nobody" group if the file is owned by that group or for all users otherwise), the scripts in /home/alice/public_html will be wrapped using suEXEC and run with Alice's user ID resulting in higher security and eliminating the need to make the scripts readable and executable for all users or everyone in the "nobody" group (instead only alice herself needs to be able to run the script).


Hardening PHP on server : 

Enabling PHP suEXEC (suphp)

When PHP runs as an Apache Module it executes as the "user/group" of the webserver which is usually "nobody" or "apache". Suexec is a mechanism supplied with Apache that allows to execute CGI scripts as the user they belong to, rather than Apache’s user. This improves security in situations where multiple mutually distrusting users have the possibility to put CGI content on the server. This means the scripts are executed as the user that created them. If user "supp0rt" uploaded a PHP script, you would see it was "supp0rt" running the script when looking at the running processes on your server. It also provides an additional layer of security where script permissions can’t be set to 777 (read/write/execute at user/group/world level).

PLEASE NOTE THAT Switching to the PHP Suexec module on the servers affects the users that depended on the configuration in the .htaccess file are panicking because their site not works anymore. This is not really a reason to be panic, what can you do in this situation is simple. Try to move as much configurations from your .htaccess file to the php.ini file. The php.ini is a simple text file that can be places in every directory from your server. It will affect only that directory and not the entire site. In addition, there could be some performance loss (also known as seeing a higher server load) as a result of all php scripts being ran as a separate CGI instead of as part of the Apache module.


Retrieved from "http://mycutelife.net/wiki/index.php?title=Suexec"
Main Page