If it is not the account that was specified with the --suexec-caller option, then execution of the user's script will abort. Since the suEXEC wrapper will be called by the web server, this option should be set to the same value as --server-uid. For this to work, you must specify the appropriate value for your system. After the configure script completes, change to the directory that contains the Apache source code and run make and make install.
You can run make certificates if you would like to generate an SSL certificate to test out your installation. See [Hack 45] if you would like to run your own Certificate Authority. Now test out suEXEC with a simple script that runs the id command, which will print out information about the user the script is executed as:.
Now enter the URL for the script i. You should see something like this:. After you've done that, enter the URL for the script i. You should see something similar to this:. However, to do this, you will need to create all of your virtual host's directories beneath the web server's document root i. When doing this, you can configure what user and group the script will execute as by using the User and Group configuration directives within the VirtualHost statement.
Since the Apache process is running as a nonroot user it cannot change the UID under which the scripts execute. Previous page. Table of content. Next page. Authors: Andrew Lockhart. Linux Security Cookbook. MySQL Cookbook. NET Applications. Programming Microsoft ASP. When such a request is made, Apache httpd provides the suEXEC wrapper with the program's name and the user and group IDs under which the program is to execute.
The wrapper then employs the following process to determine success or failure -- if any one of these conditions fail, the program logs the failure and exits with an error, otherwise it will continue:.
This is to ensure that the user executing the wrapper is truly a user of the system. The wrapper will only execute if it is given the proper number of arguments.
If the wrapper is not receiving the proper number of arguments, it is either being hacked, or there is something wrong with the suEXEC portion of your Apache httpd binary. Is this user the user allowed to run this wrapper? Only one user the Apache user is allowed to execute this program. The minimum user ID number is specified during configuration. This is useful to block out "system" accounts. The minimum group ID number is specified during configuration. This is useful to block out "system" groups.
Here is where the program becomes the target user and group via setuid and setgid calls. The group access list is also initialized with all of the groups of which the user is a member. If it doesn't exist, it can't very well contain files.
If we can't change directory to it, it might as well not exist. If the request is for a regular portion of the server, is the requested directory within suEXEC's document root? We don't want to open up the directory to others; only the owner user may be able to alter this directories contents. This is the standard operation of the suEXEC wrapper's security model. For more information as to how this security model can limit your possibilities in regards to server configuration, as well as what security risks can be avoided with a proper suEXEC setup, see the "Beware the Jabberwock" section of this document.
If you have enabled the suEXEC feature with the --enable-suexec option the suexec binary together with httpd itself is automatically built if you execute the make command. After all components have been built you can execute the command make install to install them. The binary image suexec is installed in the directory defined by the --sbindir option.
Please note that you need root privileges for the installation step. In order for the wrapper to set the user ID, it must be installed as owner root and must have the setuserid execution bit set for file modes. Although the suEXEC wrapper will check to ensure that its caller is the correct user as specified with the --with-suexec-caller configure option, there is always the possibility that a system or library call suEXEC uses before this check may be exploitable on your system.
To counter this, and because it is best-practise in general, you should use filesystem permissions to ensure that only the group httpd runs as may execute suEXEC. If httpd finds a properly configured suEXEC wrapper, it will print the following message to the error log:.
If you don't see this message at server startup, the server is most likely not finding the wrapper program where it expects it, or the executable is not installed setuid root. If you want to disable suEXEC you should kill and restart httpd after you have removed the suexec file. The only requirement needed for this feature to work is for CGI execution to be enabled for the user and that the script must meet the scrutiny of the security checks above.
See also the --with-suexec-userdir compile time option. The suEXEC wrapper will write log information to the file defined with the --with-suexec-logfile option as indicated above. There are a few points of interest regarding the wrapper that can cause limitations on server setup. Please review these before submitting any "bugs" regarding suEXEC. For security and efficiency reasons, all suEXEC requests must remain within either a top-level document root for virtual host requests, or one top-level personal document root for userdir requests.
For example, if you have four VirtualHosts configured, you would need to structure all of your VHosts' document roots off of one main httpd document hierarchy to take advantage of suEXEC for VirtualHosts. Example forthcoming. This can be a dangerous thing to change. Make certain every path you include in this define is a trusted directory.
You don't want to open people up to having someone from across the world running a trojan horse on them. Again, this can cause Big Trouble if you try this without knowing what you are doing. Stay away from it if at all possible. Copyright The Apache Software Foundation. Licensed under the Apache License, Version 2. Before we begin Before jumping head-first into this document, you should be aware that certain assumptions are made about you and the environment in which you will be using suexec.
Still with us?
0コメント