| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head> |
| <meta name="generator" content="HTML Tidy, see www.w3.org" /> |
| |
| <title>Apache suEXEC Support</title> |
| </head> |
| <!-- Background white, links blue (unvisited), navy (visited), red (active) --> |
| |
| <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" |
| vlink="#000080" alink="#FF0000"> |
| <!--#include virtual="header.html" --> |
| |
| <h3><a id="install" name="install">Configuring & Installing |
| suEXEC</a></h3> |
| |
| <p align="LEFT">This section describes the configuration and |
| installation of the suEXEC feature with the |
| "<code>src/Configure</code>" script.<br /> |
| (If you use Apache 1.3 you may want to use the Apache |
| AutoConf-style interface (APACI) which is described in the <a |
| href="suexec.html">main suEXEC document</a>).</p> |
| |
| <p align="LEFT"><strong>EDITING THE SUEXEC HEADER |
| FILE</strong><br /> |
| - From the top-level of the Apache source tree, |
| type: <strong><code>cd support |
| [ENTER]</code></strong></p> |
| |
| <p align="LEFT">Edit the <code>suexec.h</code> file and change |
| the following macros to match your local Apache |
| installation.</p> |
| |
| <p align="LEFT"><em>From support/suexec.h</em></p> |
| <pre> |
| /* |
| * HTTPD_USER -- Define as the username under which Apache normally |
| * runs. This is the only user allowed to execute |
| * this program. |
| */ |
| #define HTTPD_USER "www" |
| |
| /* |
| * UID_MIN -- Define this as the lowest UID allowed to be a target user |
| * for suEXEC. For most systems, 500 or 100 is common. |
| */ |
| #define UID_MIN 100 |
| |
| /* |
| * GID_MIN -- Define this as the lowest GID allowed to be a target group |
| * for suEXEC. For most systems, 100 is common. |
| */ |
| #define GID_MIN 100 |
| |
| /* |
| * USERDIR_SUFFIX -- Define to be the subdirectory under users' |
| * home directories where suEXEC access should |
| * be allowed. All executables under this directory |
| * will be executable by suEXEC as the user so |
| * they should be "safe" programs. If you are |
| * using a "simple" UserDir directive (ie. one |
| * without a "*" in it) this should be set to |
| * the same value. suEXEC will not work properly |
| * in cases where the UserDir directive points to |
| * a location that is not the same as the user's |
| * home directory as referenced in the passwd file. |
| * |
| * If you have VirtualHosts with a different |
| * UserDir for each, you will need to define them to |
| * all reside in one parent directory; then name that |
| * parent directory here. IF THIS IS NOT DEFINED |
| * PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK! |
| * See the suEXEC documentation for more detailed |
| * information. |
| */ |
| #define USERDIR_SUFFIX "public_html" |
| |
| /* |
| * LOG_EXEC -- Define this as a filename if you want all suEXEC |
| * transactions and errors logged for auditing and |
| * debugging purposes. |
| */ |
| #define LOG_EXEC "/usr/local/apache/logs/cgi.log" /* Need me? */ |
| |
| /* |
| * DOC_ROOT -- Define as the DocumentRoot set for Apache. This |
| * will be the only hierarchy (aside from UserDirs) |
| * that can be used for suEXEC behavior. |
| */ |
| #define DOC_ROOT "/usr/local/apache/htdocs" |
| |
| /* |
| * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables. |
| * |
| */ |
| #define SAFE_PATH "/usr/local/bin:/usr/bin:/bin" |
| </pre> |
| |
| <p align="LEFT"><strong>COMPILING THE SUEXEC |
| WRAPPER</strong><br /> |
| You now need to compile the suEXEC wrapper. At the shell |
| command prompt, after compiling Apache, |
| type: <strong><code>make |
| suexec[ENTER]</code></strong>. This should create the |
| <strong><em>suexec</em></strong> wrapper executable.</p> |
| |
| <p align="LEFT"><strong>COMPILING APACHE FOR USE WITH |
| SUEXEC</strong><br /> |
| By default, Apache is compiled to look for the suEXEC wrapper |
| in the following location.</p> |
| |
| <p align="LEFT"><em>From src/include/httpd.h</em></p> |
| <pre> |
| /* The path to the suExec wrapper, can be overridden in Configuration */ |
| #ifndef SUEXEC_BIN |
| #define SUEXEC_BIN HTTPD_ROOT "/sbin/suexec" |
| #endif |
| </pre> |
| |
| <p align="LEFT">If your installation requires location of the |
| wrapper program in a different directory, either add |
| <code>-DSUEXEC_BIN=\"<em></your/path/to/suexec></em>\"</code> |
| to your CFLAGS (or edit src/include/httpd.h) and recompile your |
| Apache server. See <a href="install.html">Compiling and |
| Installing Apache</a> (and the <samp>INSTALL</samp> file in the |
| source distribution) for more info on this process.</p> |
| |
| <p align="LEFT"><strong>COPYING THE SUEXEC BINARY TO ITS PROPER |
| LOCATION</strong><br /> |
| Copy the <strong><em>suexec</em></strong> executable created |
| in the exercise above to the defined location for |
| <strong>SUEXEC_BIN</strong>.</p> |
| |
| <p align="LEFT"><strong><code>cp suexec |
| /usr/local/apache/sbin/suexec [ENTER]</code></strong></p> |
| |
| <p align="LEFT">In order for the wrapper to set the user ID, it |
| must be installed as owner <strong><em>root</em></strong> and |
| must have the setuserid execution bit set for file modes. If |
| you are not running a <strong><em>root</em></strong> user |
| shell, do so now and execute the following commands.</p> |
| |
| <p align="LEFT"><strong><code>chown root |
| /usr/local/apache/sbin/suexec [ENTER]</code></strong><br /> |
| <strong><code>chmod 4711 /usr/local/apache/sbin/suexec |
| [ENTER]</code></strong></p> |
| |
| <h3><a id="enable" name="enable">Enabling & Disabling |
| suEXEC</a></h3> |
| |
| <p align="LEFT">After properly installing the |
| <strong>suexec</strong> wrapper executable, you must kill and |
| restart the Apache server. A simple <strong><code>kill -1 `cat |
| httpd.pid`</code></strong> will not be enough. Upon startup of |
| the web-server, if Apache finds a properly configured |
| <strong>suexec</strong> wrapper, it will print the following |
| message to the console (Apache 1.2):</p> |
| <pre> |
| Configuring Apache for use with suexec wrapper. |
| </pre> |
| If you use Apache 1.3 the following message is printed to the |
| error log: |
| <pre> |
| [notice] suEXEC mechanism enabled (wrapper: <em>/path/to/suexec</em>) |
| </pre> |
| |
| <p align="LEFT">If you don't see this message at server |
| startup, the server is most likely not finding the wrapper |
| program where it expects it, or the executable is not installed |
| <strong><em>setuid root</em></strong>. Check your installation |
| and try again.</p> |
| |
| <p align="CENTER"><strong><a href="suexec.html">BACK TO MAIN |
| PAGE</a></strong></p> |
| <!--#include virtual="footer.html" --> |
| </body> |
| </html> |
| |