MAC OS X, Linux, Windows and other IT Tips and Tricks

18 Aug 15 Customizing apache2-suexec-custom

Apache2 Suexec module comes with at least 2 flavors in many distributions of Linux.
– apache2-suexec-pristine: Apache HTTP Server standard suexec program for mod_suexec
– apache2-suexec-custom: Apache HTTP Server configurable suexec program for mod_suexec

Many times when I’ve been trying to use the standard mod_suexec with mod_fcgi (useful for WordPress installations),the mod_suexec complains that the binary I’m trying to execute is outside the allowed path of mod_suexec. Obviously the mod_suexec has been compiled with a specific allowed path where I can execute commands which happens to NOT be the one I’m using. Therefore I reverted to installing the package apache2-suexec-custom instead. This module is configurable as far as the allowed path where I can run programs.
This configuration file is found in /etc/apache2/suexec/www-data.
Its initial content in Ubuntu 14.04 is as follows:
# The first two lines contain the suexec document root and the suexec userdir
# suffix. If one of them is disabled by prepending a # character, suexec will
# refuse the corresponding type of request.
# This config file is only used by the apache2-suexec-custom package. See the
# suexec man page included in the package for more details.

Here is what part of the man page says about it. The rest is self explanatory.

If suexec is called by a user with name ‘username’, it will look into /etc/apache2/suexec/username for configuration. If the file does not exist, suexec will abort. By creating several config files, you can allow several different apache run users to use suexec.

The first line in the file is used as the document root (/var/www in the standard suexec) and the second line in the file is used as the suffix that is appended to users’ home directories (public_html in standard suexec).

If any of the lines is commented out (with #), suexec will refuse the corresponding type of request. It is recommended to comment out the userdir suffix if you don’t need it.

suexec requires the CGI script to be under the server’s DocumentRoot (not the VirtualHost DocumentRoot). It is permitted, however, for the VirtualHost DocumentRoot to be a symlink to a directory that appears under the real DocumentRoot.
– The wrapper script should be of chmod 750

Tips for using suexec
– Suexec requires that user cgi scripts not be writable by others, e.g., be 755
– Suexec requies that the directory containing a cgi script not be writable by others, e.g., be 755 and not 775.
– If suexec fails to execute a user’s script, /var/log/httpd/error_log will only indicate “Premature end of script headers”; however, /var/log/httpd/suexec_log will indicate the actual problem, e.g., “error: directory is writable by others”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: