APACHE_1_3_42/htdocs/manual/suexec_1_2.html - httpd - Git at Google

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <meta name="generator" content="HTML Tidy, see www.w3.org" />

     <title>Apache suEXEC Support</title>
   </head>
   <!-- Background white, links blue (unvisited), navy (visited), red (active) -->

   <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
   vlink="#000080" alink="#FF0000">
     <!--#include virtual="header.html" -->

     <h3><a id="install" name="install">Configuring &amp; Installing
     suEXEC</a></h3>

     <p align="LEFT">This section describes the configuration and
     installation of the suEXEC feature with the
     "<code>src/Configure</code>" script.<br />
      (If you use Apache 1.3 you may want to use the Apache
     AutoConf-style interface (APACI) which is described in the <a
     href="suexec.html">main suEXEC document</a>).</p>

     <p align="LEFT"><strong>EDITING THE SUEXEC HEADER
     FILE</strong><br />
      - From the top-level of the Apache source tree,
     type:&nbsp;&nbsp; <strong><code>cd support
     [ENTER]</code></strong></p>

     <p align="LEFT">Edit the <code>suexec.h</code> file and change
     the following macros to match your local Apache
     installation.</p>

     <p align="LEFT"><em>From support/suexec.h</em></p>
 <pre>
      /*
       * HTTPD_USER -- Define as the username under which Apache normally
       *               runs.  This is the only user allowed to execute
       *               this program.
       */
      #define HTTPD_USER "www"

      /*
       * UID_MIN -- Define this as the lowest UID allowed to be a target user
       *            for suEXEC.  For most systems, 500 or 100 is common.
       */
      #define UID_MIN 100

      /*
       * GID_MIN -- Define this as the lowest GID allowed to be a target group
       *            for suEXEC.  For most systems, 100 is common.
       */
      #define GID_MIN 100

      /*
       * USERDIR_SUFFIX -- Define to be the subdirectory under users'
       *                   home directories where suEXEC access should
       *                   be allowed.  All executables under this directory
       *                   will be executable by suEXEC as the user so
       *                   they should be "safe" programs.  If you are
       *                   using a "simple" UserDir directive (ie. one
       *                   without a "*" in it) this should be set to
       *                   the same value.  suEXEC will not work properly
       *                   in cases where the UserDir directive points to
       *                   a location that is not the same as the user's
       *                   home directory as referenced in the passwd file.
       *
       *                   If you have VirtualHosts with a different
       *                   UserDir for each, you will need to define them to
       *                   all reside in one parent directory; then name that
       *                   parent directory here.  IF THIS IS NOT DEFINED
       *                   PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK!
       *                   See the suEXEC documentation for more detailed
       *                   information.
       */
      #define USERDIR_SUFFIX "public_html"

      /*
       * LOG_EXEC -- Define this as a filename if you want all suEXEC
       *             transactions and errors logged for auditing and
       *             debugging purposes.
       */
      #define LOG_EXEC "/usr/local/apache/logs/cgi.log" /* Need me? */

      /*
       * DOC_ROOT -- Define as the DocumentRoot set for Apache.  This
       *             will be the only hierarchy (aside from UserDirs)
       *             that can be used for suEXEC behavior.
       */
      #define DOC_ROOT "/usr/local/apache/htdocs"

      /*
       * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
       *
       */
      #define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
 </pre>

     <p align="LEFT"><strong>COMPILING THE SUEXEC
     WRAPPER</strong><br />
      You now need to compile the suEXEC wrapper. At the shell
     command prompt, after compiling Apache,
     type:&nbsp;&nbsp;<strong><code>make
     suexec[ENTER]</code></strong>. This should create the
     <strong><em>suexec</em></strong> wrapper executable.</p>

     <p align="LEFT"><strong>COMPILING APACHE FOR USE WITH
     SUEXEC</strong><br />
      By default, Apache is compiled to look for the suEXEC wrapper
     in the following location.</p>

     <p align="LEFT"><em>From src/include/httpd.h</em></p>
 <pre>
      /* The path to the suExec wrapper, can be overridden in Configuration */
      #ifndef SUEXEC_BIN
      #define SUEXEC_BIN  HTTPD_ROOT "/sbin/suexec"
      #endif
 </pre>

     <p align="LEFT">If your installation requires location of the
     wrapper program in a different directory, either add
     <code>-DSUEXEC_BIN=\"<em>&lt;/your/path/to/suexec&gt;</em>\"</code>
     to your CFLAGS (or edit src/include/httpd.h) and recompile your
     Apache server. See <a href="install.html">Compiling and
     Installing Apache</a> (and the <samp>INSTALL</samp> file in the
     source distribution) for more info on this process.</p>

     <p align="LEFT"><strong>COPYING THE SUEXEC BINARY TO ITS PROPER
     LOCATION</strong><br />
      Copy the <strong><em>suexec</em></strong> executable created
     in the exercise above to the defined location for
     <strong>SUEXEC_BIN</strong>.</p>

     <p align="LEFT"><strong><code>cp suexec
     /usr/local/apache/sbin/suexec [ENTER]</code></strong></p>

     <p align="LEFT">In order for the wrapper to set the user ID, it
     must be installed as owner <strong><em>root</em></strong> and
     must have the setuserid execution bit set for file modes. If
     you are not running a <strong><em>root</em></strong> user
     shell, do so now and execute the following commands.</p>

     <p align="LEFT"><strong><code>chown root
     /usr/local/apache/sbin/suexec [ENTER]</code></strong><br />
      <strong><code>chmod 4711 /usr/local/apache/sbin/suexec
     [ENTER]</code></strong></p>

     <h3><a id="enable" name="enable">Enabling &amp; Disabling
     suEXEC</a></h3>

     <p align="LEFT">After properly installing the
     <strong>suexec</strong> wrapper executable, you must kill and
     restart the Apache server. A simple <strong><code>kill -1 `cat
     httpd.pid`</code></strong> will not be enough. Upon startup of
     the web-server, if Apache finds a properly configured
     <strong>suexec</strong> wrapper, it will print the following
     message to the console (Apache 1.2):</p>
 <pre>
     Configuring Apache for use with suexec wrapper.
 </pre>
     If you use Apache 1.3 the following message is printed to the
     error log:
 <pre>
     [notice] suEXEC mechanism enabled (wrapper: <em>/path/to/suexec</em>)
 </pre>

     <p align="LEFT">If you don't see this message at server
     startup, the server is most likely not finding the wrapper
     program where it expects it, or the executable is not installed
     <strong><em>setuid root</em></strong>. Check your installation
     and try again.</p>

     <p align="CENTER"><strong><a href="suexec.html">BACK TO MAIN
     PAGE</a></strong></p>
     <!--#include virtual="footer.html" -->
   </body>
 </html>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	<meta name="generator" content="HTML Tidy, see www.w3.org" />

	<title>Apache suEXEC Support</title>
	</head>
	<!-- Background white, links blue (unvisited), navy (visited), red (active) -->

	<body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
	vlink="#000080" alink="#FF0000">
	<!--#include virtual="header.html" -->

	<h3><a id="install" name="install">Configuring & Installing
	suEXEC</a></h3>

	<p align="LEFT">This section describes the configuration and
	installation of the suEXEC feature with the
	"<code>src/Configure</code>" script.<br />
	(If you use Apache 1.3 you may want to use the Apache
	AutoConf-style interface (APACI) which is described in the <a
	href="suexec.html">main suEXEC document</a>).</p>

	<p align="LEFT"><strong>EDITING THE SUEXEC HEADER
	FILE</strong><br />
	- From the top-level of the Apache source tree,
	type:   <strong><code>cd support
	[ENTER]</code></strong></p>

	<p align="LEFT">Edit the <code>suexec.h</code> file and change
	the following macros to match your local Apache
	installation.</p>

	<p align="LEFT"><em>From support/suexec.h</em></p>
	<pre>
	/*
	* HTTPD_USER -- Define as the username under which Apache normally
	* runs. This is the only user allowed to execute
	* this program.
	*/
	#define HTTPD_USER "www"

	/*
	* UID_MIN -- Define this as the lowest UID allowed to be a target user
	* for suEXEC. For most systems, 500 or 100 is common.
	*/
	#define UID_MIN 100

	/*
	* GID_MIN -- Define this as the lowest GID allowed to be a target group
	* for suEXEC. For most systems, 100 is common.
	*/
	#define GID_MIN 100

	/*
	* USERDIR_SUFFIX -- Define to be the subdirectory under users'
	* home directories where suEXEC access should
	* be allowed. All executables under this directory
	* will be executable by suEXEC as the user so
	* they should be "safe" programs. If you are
	* using a "simple" UserDir directive (ie. one
	* without a "*" in it) this should be set to
	* the same value. suEXEC will not work properly
	* in cases where the UserDir directive points to
	* a location that is not the same as the user's
	* home directory as referenced in the passwd file.
	*
	* If you have VirtualHosts with a different
	* UserDir for each, you will need to define them to
	* all reside in one parent directory; then name that
	* parent directory here. IF THIS IS NOT DEFINED
	* PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK!
	* See the suEXEC documentation for more detailed
	* information.
	*/
	#define USERDIR_SUFFIX "public_html"

	/*
	* LOG_EXEC -- Define this as a filename if you want all suEXEC
	* transactions and errors logged for auditing and
	* debugging purposes.
	*/
	#define LOG_EXEC "/usr/local/apache/logs/cgi.log" /* Need me? */

	/*
	* DOC_ROOT -- Define as the DocumentRoot set for Apache. This
	* will be the only hierarchy (aside from UserDirs)
	* that can be used for suEXEC behavior.
	*/
	#define DOC_ROOT "/usr/local/apache/htdocs"

	/*
	* SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
	*
	*/
	#define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
	</pre>

	<p align="LEFT"><strong>COMPILING THE SUEXEC
	WRAPPER</strong><br />
	You now need to compile the suEXEC wrapper. At the shell
	command prompt, after compiling Apache,
	type:  <strong><code>make
	suexec[ENTER]</code></strong>. This should create the
	<strong><em>suexec</em></strong> wrapper executable.</p>

	<p align="LEFT"><strong>COMPILING APACHE FOR USE WITH
	SUEXEC</strong><br />
	By default, Apache is compiled to look for the suEXEC wrapper
	in the following location.</p>

	<p align="LEFT"><em>From src/include/httpd.h</em></p>
	<pre>
	/* The path to the suExec wrapper, can be overridden in Configuration */
	#ifndef SUEXEC_BIN
	#define SUEXEC_BIN HTTPD_ROOT "/sbin/suexec"
	#endif
	</pre>

	<p align="LEFT">If your installation requires location of the
	wrapper program in a different directory, either add
	<code>-DSUEXEC_BIN=\"<em></your/path/to/suexec></em>\"</code>
	to your CFLAGS (or edit src/include/httpd.h) and recompile your
	Apache server. See <a href="install.html">Compiling and
	Installing Apache</a> (and the <samp>INSTALL</samp> file in the
	source distribution) for more info on this process.</p>

	<p align="LEFT"><strong>COPYING THE SUEXEC BINARY TO ITS PROPER
	LOCATION</strong><br />
	Copy the <strong><em>suexec</em></strong> executable created
	in the exercise above to the defined location for
	<strong>SUEXEC_BIN</strong>.</p>

	<p align="LEFT"><strong><code>cp suexec
	/usr/local/apache/sbin/suexec [ENTER]</code></strong></p>

	<p align="LEFT">In order for the wrapper to set the user ID, it
	must be installed as owner <strong><em>root</em></strong> and
	must have the setuserid execution bit set for file modes. If
	you are not running a <strong><em>root</em></strong> user
	shell, do so now and execute the following commands.</p>

	<p align="LEFT"><strong><code>chown root
	/usr/local/apache/sbin/suexec [ENTER]</code></strong><br />
	<strong><code>chmod 4711 /usr/local/apache/sbin/suexec
	[ENTER]</code></strong></p>

	<h3><a id="enable" name="enable">Enabling & Disabling
	suEXEC</a></h3>

	<p align="LEFT">After properly installing the
	<strong>suexec</strong> wrapper executable, you must kill and
	restart the Apache server. A simple <strong><code>kill -1 `cat
	httpd.pid`</code></strong> will not be enough. Upon startup of
	the web-server, if Apache finds a properly configured
	<strong>suexec</strong> wrapper, it will print the following
	message to the console (Apache 1.2):</p>
	<pre>
	Configuring Apache for use with suexec wrapper.
	</pre>
	If you use Apache 1.3 the following message is printed to the
	error log:
	<pre>
	[notice] suEXEC mechanism enabled (wrapper: <em>/path/to/suexec</em>)
	</pre>

	<p align="LEFT">If you don't see this message at server
	startup, the server is most likely not finding the wrapper
	program where it expects it, or the executable is not installed
	<strong><em>setuid root</em></strong>. Check your installation
	and try again.</p>

	<p align="CENTER"><strong><a href="suexec.html">BACK TO MAIN
	PAGE</a></strong></p>
	<!--#include virtual="footer.html" -->
	</body>
	</html>