suEXEC the CGI wrapper
A CGI wrapper is a system that executes scripts in
a safe and controlled fashion. It also allows scripts to
be executed as the same user and group of the virtual host.
This allows scripts to have proper permission to execute
and use the users directory tree. It also stops scripts
from effecting folders the owner shouldn't have access to.
Setting up suEXEC
suEXEC can be difficult to setup, it depends on whether
you compiled apache yourself, or whether it came with your
distribution. Your distribution may have configured suEXEC
correctly for you, in which case you'll just need to enable
it. You can check your suEXEC settings with the command:-
In our example we are running RedHat 9, which comes with
Apache 2 by default, however suEXEC is not configured properly
by default so you need to recompile suEXEC (not the whole
of apache) with the correct settings to get it working.
Here is our quick guide.
- Check your suEXEC settings
- The interesting bit of info is AP_DOC_ROOT. Default
is "/var/www". If this isn't the same as the
directory where your site files are ("/home"
for RH9) you're going to need to recompile it. If it is
the same then you're lucky! You can skip to step 15.
- Download and decompress the source RPM for httpd.
- Navigate to the "support" sub folder
of the httpd source directory (such as "/usr/src/redhat/SOURCES/httpd-2.0.40/support/")
- Edit the file "suexec.h" and change the lines:-
- #define AP_DOC_ROOT "/var/www"
to the location of your site files such as:-
#define AP_DOC_ROOT "/home"
- #define AP_HTTPD_USER
to the user you have set for apache
- #define AP_LOG_EXEC "/some/long/thing/I've/forgot/suexec.log"
to something sensible like:-
#define AP_LOG_EXEC "/var/log/httpd/suexec.log"
- Now you'll need to configure the apache source:-
- And Now:-
- Now replace your old suexec executable with your new
one, backing up the old one first:-
mv suexec suexec.bak
- Don't forget to change the group and owner to the same
as the old suexec file!!!
ls -l suexec
chgrp apache suexec
chown apache suexec
- Now make
chmod 4510 suexec
- Ok that's suexec ready to go. Now open httpd.conf (make
a backup first) and add the line:-
- Now suexec is in use you can define the user and group
that scripts should be executed as for each VirtualHost.
In the following examples username and groupname should
be swapped with the actual user and group you wan to use.
This should be the same as the owner and group of that
In Apache 2:-
In Apache 1:-
- Restart apache and away you go!
the latest news?
Then why not sign
up for our newsletter? Be notified immediately about new
products, upgrades, sales, discounts, bug fixes, site updates