Admin Guide for suEXEC Support
TABLE OF CONTENTS
- Enabling suEXEC
- Disabling suEXEC
- Default Configuration Values for suEXEC
- How to use suEXEC?
NOTE: Much of the information in this document has been taken from the
apache.org site: http://httpd.apache.org/docs-2.0/suexec.html
The suEXEC feature provides HP-UX Apache-based Web Server users the ability
to run CGI and SSI programs under user IDs different from the user ID of the
web-server. Normally, when a CGI or SSI program executes, it runs as the same
user who is running the web server.
Used properly, this feature can reduce considerably the security risks
involved with allowing users to develop and run private CGI or SSI programs.
HOWEVER, IF suEXEC IS IMPROPERLY CONFIGURED, IT CAN CAUSE ANY NUMBER OF
PROBLEMS AND POSSIBLY CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF YOU
AREN'T FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE SECURITY ISSUES
THEY PRESENT, WE DO NOT RECOMMEND YOU TO USE suEXEC.
To enable suEXEC, you must have the following:
- /opt/hpws/apache/bin/suexec be available
HP Apache-based Web Server product ships suexec disabled by default, by
distributing suexec as suexec.hide. To enable, rename suexec.hide to
- Make sure the permissions/ownership of suexec are as follows:
Permission: -rwsr-xr-x (4755)
- You must have mod_suexec loaded in your httpd.conf.
LoadModule suexec_module modules/mod_suexec.so
- Stop Apache followed by start Apache.
Upon startup, Apache looks for the file "suexec" in the /opt/hpws/apache/bin
directory. If it finds a properly configured suEXEC wrapper, it will print
the following message to the error log:
[notice] suEXEC mechanism enabled (wrapper: /opt/hpws/apache/bin/suexec)
- If you don't see this message at server startup, then one or more of
the following conditions exists:
+ The suexec wrapper is not found at /opt/hpws/apache/bin/suexec
+ The suexec wrapper is not installed with setuid root permissions
To disable suEXEC, you must:
- Rename /opt/hpws/apache/bin/suexec as /opt/hpws/apache/bin/suexec.hide
- Stop Apache followed by start Apache.
Default Configuration Values for suEXEC
suexec binary: /opt/hpws/apache/bin/suexec
document root: /opt/hpws/apache/htdocs
userdir suffix: public_html (default)
logfile: /opt/hpws/apache/logs/suexec_log (default)
safe path: /usr/local/bin:/usr/bin:/bin (default)
caller ID: www (default)
minimum user ID: 100 (default)
minimum group ID: 100 (default)
How to use suEXEC?
The most common way of using suEXEC is through the SuexecUserGroup
directive in the main/general section of the httpd.conf. You would use the
SuexecUserGroup directive to define the user and group the cgi's should
execute as. This would mean all cgi scripts:
In certain cases, you may want the ~user to execute the cgi scripts as
themselves. More information on this set-up could be found in "User
directories" section below.
If the SuexecUserGroup directive is not specified, then the server would
behave as if suEXEC has not been enabled.
One way to use the suEXEC wrapper is through the SuexecUserGroup directive
in the <VirtualHost> definitions. By setting this directive to a value
different from the main server's SuexecUserGroup directive, all requests
for the CGI resources will be executed as the user and group defined with
the SuexecUserGroup directive for that <VirtualHost>. If the directive is
not specified for a <VirtualHost> then the main server's SuexecUserGroup is
The suEXEC wrapper can also be used to execute CGI programs as the user to
which the request is being directed. This is accomplished by using the "~"
character prefixing the user ID for whom execution is desired. The only
requirement needed for this feature to work is for CGI execution to be
enabled for the user and that the script must meet the scrutiny of the
security checks above.
suEXEC is based on a setuid "wrapper" program that is called by the main
Apache web server. This wrapper is called when an HTTP request is made for
a CGI or SSI program that the administrator has designated to run as a
userid other than that of the main server (by default, this value is
"www:other" for hp Apache). When such a request is made, Apache provides
the suEXEC wrapper with the program's name and the user and group IDs under
which the program is to execute.
The wrapper then employs the following process to determine success or
failure -- if any one of these conditions fail, the program logs the failure
and exits with an error, otherwise it will continue:
1) Was the wrapper called with the proper number of arguments?
The wrapper will only execute if it is given the proper number of arguments.
The proper argument format is known to the Apache web server. If the wrapper
is not receiving the proper number of arguments, it is either being hacked,
or there is something wrong with the suEXEC portion of your Apache binary.
2) Is the user executing this wrapper a valid user of this system?
This is to ensure that the user executing the wrapper is truly a user of
3) Is this valid user allowed to run the wrapper?
Is this user the user allowed to run this wrapper? Only one user (the
Apache user) is allowed to execute this program.
4) Does the target program have an unsafe hierarchical reference?
Does the target program contain a leading '/' or have a '..' backreference?
These are not allowed; the target program must reside within the Apache
5) Is the target user name valid?
Does the target user exist?
6) Is the target group name valid?
Does the target group exist?
7) Is the target user NOT superuser?
Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
8) Is the target userid ABOVE the minimum ID number?
The minimum user ID number is specified during configuration. This allows
you to set the lowest possible userid that will be allowed to execute
CGI/SSI programs. This is useful to block out "system" accounts.
9) Is the target group NOT the superuser group?
Presently, suEXEC does not allow the 'root' group to execute CGI/SSI
10) Is the target groupid ABOVE the minimum ID number?
The minimum group ID number is specified during configuration. This allows
you to set the lowest possible groupid that will be allowed to execute
CGI/SSI programs. This is useful to block out "system" groups.
11) Can the wrapper successfully become the target user and group?
Here is where the program becomes the target user and group via setuid
and setgid calls. The group access list is also initialized with all of
the groups of which the user is a member.
12) Does the directory in which the program resides exist?
If it doesn't exist, it can't very well contain files.
13) Is the directory within the Apache webspace?
If the request is for a regular portion of the server, is the requested
directory within the server's document root? If the request is for a
UserDir, is the requested directory within the user's document root?
14) Is the directory NOT writable by anyone else?
We don't want to open up the directory to others; only the owner user may
be able to alter this directories contents.
15) Does the target program exist?
If it doesn't exists, it can't very well be executed.
16) Is the target program NOT writable by anyone else?
We don't want to give anyone other than the owner the ability to change
17) Is the target program NOT setuid or setgid?
We do not want to execute programs that will then change our UID/GID again.
18) Is the target user/group the same as the program's user/group?
Is the user the owner of the file?
19)Can we successfully clean the process environment to ensure safe operations?
suEXEC cleans the process' environment by establishing a safe execution
PATH (defined during configuration), as well as only passing through those
variables whose names are listed in the safe environment list (also
created during configuration).
20) Can we successfully become the target program and execute?
Here is where suEXEC ends and the target program begins.
The information in this document is subject to change without notice.
HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
INFORMATION, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard
shall not be liable for errors contained herein or for direct, indirect,
special, incidental or consequential damages in connection with the
furnishing, performance or use of this material.
RESTRICTED RIGHTS LEGEND
Use, duplication or disclosure by the U.S. Government is subject to
restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD
agencies. Rights for non-DOD U.S. Government Department and Agencies are
as set forth in FAR 52.227-19 (c)(1,2).
Copyright 2001-2006 Hewlett-Packard Development Company, L.P.
This document contains information which is protected by copyright.
All Rights Reserved. Reproduction, adaptation, or translation without
prior written permission is prohibited, except as allowed under the
UNIX is a registered trademark in the United States and other countries,
licensed exclusively through X/Open Company Limited.
Java and all Java-based trademarks and logos are trademarks or
registered trademarks of Sun Microsystems, Inc. in the U.S. and
This product includes software developed by the Apache Software Foundation.
This documentation is based on information from the Apache Software Foundation
This product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit (http://www.openssl.org).
This product includes cryptographic software written by Eric Young