Re: [Lug-Nuts] suExec on Apache

From: Mike Machado (mike@innercite.com)
Date: Thu Nov 04 1999 - 18:37:09 PST


Quoting Brian Lavender <brian@brie.com>:

> Is anyone out there running suExec on apache? I was playing
> with it, and I don't know if I got it right. As I understand,
> suExec will run cgi's suid or sgid. Does this mean that you
> have to suid the script, or is the suExec wrapper doing this?
> How about permissions on the script? Do they need to be 755
> for a PERL script. I am also wondering about the directory
> where I store my cgi scripts. I have it sgid so that when
> people add files to the directory, they are owned by the www-data
> group. This way a group of people can work on the cgi's in
> this directory. Will this stop suExec from executing?
>
I run a apache server with the SuExec wrapper. It only works on virtual hosts.
Aka it lets you use the user and group directives inside <virtualhost> settings.
You do not need to setuid your scripts if you use SuExec. Permissions of 755 should
be fine. It does not matter where your scripts are or who owns them. The SuExec
wrapper will change to the user and group in the <virutalhost> tag and execute the
script.

> I did some testing with apache with and without suExec. It
> seemed that my script ran suid by just chmod u+s scriptname
> without requiring suExec.
>
Bad idea, because anyone with shell access then can run the cgi making a possible
security hole.

What I do for my servers is use a standard cgi wrapper called 'cgiwrap'. I think you
can find it on freshmeat. It requires the user to call the wrapper first and
it chuid to the user the script is owned by first and it works on non virutalhosts.

> Any comments welcome.
>
> brian
> --
> Brian Lavender
> http://www.brie.com/brian/
>

Mike Machado
mike@innercite.com
InnerCite
Network Specialist



This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:08 PST