Archive for the tag 'Suexec'

SBDavid

What is suEXEC?

What is suEXEC?

The suEXEC feature — introduced in Apache 1.2 — provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

Presently, suEXEC does not allow ‘root’ to execute CGI/SSI programs.

Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer’s security. If you aren’t familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC.

SBDavid

Enabling & Disabling suEXEC

Enabling & Disabling suEXEC

Upon startup of Apache, it looks for the file “suexec” in the “sbin” directory (default is “/usr/local/apache/sbin/suexec”). If Apache finds a properly configured suEXEC wrapper, it will print the following message to the error log:

[notice] suEXEC mechanism enabled (wrapper: /path/to/suexec)

If you don’t see this message at server startup, the server is most likely not finding the wrapper program where it expects it, or the executable is not installed setuid root.

If you want to enable the suEXEC mechanism for the first time and an Apache server is already running you must kill and restart Apache. Restarting it with a simple HUP or USR1 signal will not be enough.

If you want to disable suEXEC you should kill and restart Apache after you have removed the “suexec” file.

SBDavid

Suexec enabled file ownership issue

In Cpanel, when a user is created, it always creates the “public_html” directory with ownership user : and group: nobody. However, if suexec is enabled it requires the ownership of “public_html” directory to be user : and group: . This is not done when a account is created via WHM. It creates with the default. “public_html” : nobody

Here are two scripts which changes the permission.

Script 1
cat changeperm

echo “Enter the user:”
read user
chown $user.$user /home/$user/public_html
chmod 755 /home/$user/public_html

cat changepermall

for user in `cat /etc/trueuserdomains | cut -d : -f 2`
do
chown $user.$user /home/$user/public_html
chmod 755 /home/$user/public_html
done

The script “changeperm” when executed will prompt for the username for which the permissions will be set (single account). The second script “changepermall” will change the permissions of all the users.

« Prev