suEXEC

Apache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user - normally, all web server processes run as the default web server user (often wwwrun, www-data, Apache or nobody). The suEXEC feature consists of a module for the web server and a binary executable which acts as a wrapper. suEXEC was introduced in Apache 1.2 and is often included in the default Apache package provided by most Linux distributions.

If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.[1]

Additionally, suEXEC perform a multi-step check on the executed CGI to ensure security for the server (including path-checks, a limit of permitted commands, etc.)[2]

Example

User "Alice" has a website including some CGI scripts in her own public_html folder, which can be accessed by http://server/~alice.

Bob now views Alice's webpage, which requires Apache to run one of these CGI scripts.

Instead of running all scripts as "wwwrun" (which results in the need that all scripts have to be readable and executable for the "wwwrun" group if the file is owned by that group or for all users otherwise), the scripts in /home/alice/public_html will be wrapped using suEXEC and run with Alice's user ID resulting in higher security and eliminating the need to make the scripts readable and executable for all users or everyone in the "wwwrun" group (instead only alice herself needs to be able to run the script).

References

  1. Miller, Chris. "Deploying PHP: mod_php? CGI/suExec? FastCGI?". Huffington Post. Retrieved 26 February 2015.
  2. apache.org - suEXEC Support


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.