SuExec for apache | incunabulum.de

Suexec for apache is a short howto gearded towards users of the ispman managment system. It show the installation and configuration of suexec, a security extension for apache that “provides the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server”

In our case the following situation was given:

system: debian woody
apache: version 1.3
ispman root directory: /ispman
ldap ispman base: o=ispman

Ldap Authentication:

SuExec is not capable to use numeric user and group ids for the definition of the user under which an apache process is supposed to run for a given virtual host.

LibNssLdap is a library that allows the name service to map numeric user ids to user names defined in an ldap database.

First, install the appropriate libraries with:

  apt-get install libnss-ldap

The change the file /etc/nsswitch.conf as follows:

  passwd:    files ldap
  group:     files ldap
  shadow:    files ldap

If not already defined add the following to /etc/libnss-ldap.conf:

  host localhost
  base o=ispman

Configure apache

The suexec extension of apache does only work in domains stored below the suexec-docroot directory. For debian woody this is /var/www. Because our ispman base directory is /ispman we need to recompile apache with the suexec-docroot set to our ispman directory.

Download the apache source:

  apt-get source apache
  apt-get build-dep apache

In the main apache archive edit the file debian/rules and change the –suexec-docroot to your ispman directory (or a subdirecty where the domains are stored). The build and install the modified package:

  dpkg-buildpackage -rfakeroot -b
  dpkg -i ../apache_version-revision_arch.deb

This process needs to be performed for each update of the apache package.

For suexec to work properly all files that should be run with suexec must run through cgi. For php change the apache config file httpd.conf as follows:

  AddHandler cgi-script .php .cgi .sh .pl

This tells apache to treat php (and perl) scripts as cgi scripts. Now, every section where CGIs should be enabled needs:

  Options +ExecCGI

Ispman templates

For the configuration of virtual host defined via ispman you can define the user and group parameters using the *Extra Configurations option textfield for each subdomain. Also, it is possible to activate suexec support for all domains by adding the following entry to the ispman vhosts template vhosts.conf.template:

   User <perl>$servername</perl>
   Group <perl>$ispmanDomain</perl>

Limitations

SuExec works fine for symbolic links as long as the file that is called does not link to some other file. The traversal of links (e. g. links to another directory) does not pose a problem. Calling files that themselves are links to other files, is not possible.

Afaik, there is no solution to use suexec with links representing files.