Return-Path:
Apache HTTP Server Version 2.3 The suEXEC feature provides
@@ -39,18 +39,18 @@
and the security issues they present, we highly recommend that
you not consider using suEXEC. Setting paranoid permissions and and This will ensure that only the group Apache runs as can even
execute the suEXEC wrapper. Upon startup of Apache, it looks for the file
- If you want to disable suEXEC you should kill and restart
- Apache after you have removed the suEXEC Support
suEXEC Security Model
@@ -348,7 +348,7 @@
configuration, as well as what security risks can be avoided
with a proper suEXEC setup, see the "Beware the Jabberwock" section of this
document.
-Configuring & Installing
suEXEC
@@ -456,7 +456,7 @@
Although the suEXEC wrapper will check to ensure that its
caller is the correct user as specified with the
- --with-suexec-caller
configure
+ --with-suexec-caller
configure
option, there is
always the possibility that a system or library call suEXEC uses
before this check may be exploitable on your system. To counter
@@ -471,7 +471,7 @@
Group webgroup
suexec
is installed at
+ suexec
is installed at
"/usr/local/apache2/sbin/suexec", you should run:
@@ -481,13 +481,13 @@
Enabling & Disabling
suEXEC
suexec
in the directory defined by the
+ suexec
in the directory defined by the
--sbindir
option (default is
"/usr/local/apache/sbin/suexec"). If Apache finds a properly
configured suEXEC wrapper, it will print the following message
@@ -506,33 +506,33 @@
restart Apache. Restarting it with a simple HUP or USR1 signal
will not be enough. suexec
file.suexec
file.
Requests for CGI programs will call the suEXEC wrapper only if
- they are for a virtual host containing a SuexecUserGroup
directive or if
- they are processed by mod_userdir
.
SuexecUserGroup
directive or if
+ they are processed by mod_userdir
.
Virtual Hosts:
One way to use the suEXEC
- wrapper is through the SuexecUserGroup
directive in
- VirtualHost
definitions. By
+ wrapper is through the SuexecUserGroup
directive in
+ VirtualHost
definitions. By
setting this directive to values different from the main server
user ID, all requests for CGI resources will be executed as the
- User and Group defined for that <VirtualHost>
. If this
- directive is not specified for a <VirtualHost>
then the main server userid
+ User and Group defined for that <VirtualHost>
. If this
+ directive is not specified for a <VirtualHost>
then the main server userid
is assumed.
User directories:
Requests that are
- processed by mod_userdir
will call the suEXEC
+ processed by mod_userdir
will call the suEXEC
wrapper to execute CGI programs under the userid of the requested
user directory. The only requirement needed for this feature to
work is for CGI execution to be enabled for the user and that the
script must meet the scrutiny of the security
checks above. See also the
--with-suexec-userdir
compile
- time option.