httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Rees <>
Subject mod_fcgid and suexec problems
Date Wed, 23 Sep 2009 22:55:21 GMT
I initially opened a bug for this downstream (See Fedora #523903[1]),
but the Fedora mod_fcgid maintainer Paul suggested I open up the
discussion here.

I was recently working on configuring some of my servers to use the
worker MPM instead of prefork to be able to handle more concurrent
connections without additional memory.

Some of these servers use PHP, and it's well known that PHP is not
very thread-safe so I started using mod_fcgid to handle PHP scripts.

This worked great until I started testing PHP scripts in UserDirs,
when suEXEC would then prevent the scripts from running since my
FCGIWrapper is set to /usr/bin/php-cgi and that script isn't in the
UserDir or owned by the user.  After additional reading on suEXEC, I
renamed the suexec binary to disable suEXEC, but this has the drawback
that if the httpd package is updated, the binary will come back, too
and re-enable suEXEC on the next httpd restart.

I did some searching and found this post on the old mod_cgid lists
where a user had the same problem and suggested (along with a patch)
adding a configuration flag for mod_fcgid to disable suEXEC [2].

While a configuration flag like that would indeed fix my issue, I'm
not convinced it's the right approach to this issue.  Other possible
solutions I had thought of:

* Since Fedora (looks like RHEL does, too) compiles in suEXEC support
and the recommended way to disable suEXEC support is to change the
perms or delete the suexec binary, make suEXEC support a
configuration/startup value and edit the startup scripts to do finagle
the suexec binary before starting up Apache.

* Introduce a global "SuExecDisable" setting that will disable SuExec
in that configuration context.

* Go with a mod_fcgid specific SuExec disable setting as mentioned earlier.




View raw message