SuEXEC
Encyclopedia
Apache suEXEC is a feature of the Apache
Web server
. It allows users to run CGI
and SSI
applications as a different user - normally, all web server processes run as the default web server user (often wwwrun, Apache or nobody
). The suEXEC feature consists of a module for the web server and a binary
executable which acts as a wrapper.
If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.
Additionally, suEXEC perform a multi-step check on the executed CGI to ensure security for the server (including path-checks, a limit of permitted commands, etc.)
http://server/~alice .
Bob now views Alice's webpage, which requires Apache to run one of these CGI scripts.
Instead of running all scripts as "wwwrun" (which results in the need that all scripts have to be readable and executable for the "wwwrun" group if the file is owned by that group or for all users otherwise), the scripts in /home/alice/public_html will be wrapped using suEXEC and run with Alice's user ID resulting in higher security and eliminating the need to make the scripts readable and executable for all users or everyone in the "wwwrun" group (instead only alice herself needs to be able to run the script).
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
Web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
. It allows users to run CGI
Common Gateway Interface
The Common Gateway Interface is a standard method for web servers software to delegate the generation of web pages to executable files...
and SSI
Server Side Includes
Server Side Includes is a simple interpreted server-side scripting language used almost exclusively for the Web.The most frequent use of SSI is to include the contents of one or more files into a web page on a web server...
applications as a different user - normally, all web server processes run as the default web server user (often wwwrun, Apache or nobody
Nobody (username)
In many Unix variants, "nobody" is the conventional name of a user account which owns no files, is in no privileged groups, and has no abilities except those which every other user has....
). The suEXEC feature consists of a module for the web server and a binary
Executable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
executable which acts as a wrapper.
If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.
Additionally, suEXEC perform a multi-step check on the executed CGI to ensure security for the server (including path-checks, a limit of permitted commands, etc.)
Example
User "alice" has a website including some CGI scripts in her own public_html folder, which can be accessed byBob now views Alice's webpage, which requires Apache to run one of these CGI scripts.
Instead of running all scripts as "wwwrun" (which results in the need that all scripts have to be readable and executable for the "wwwrun" group if the file is owned by that group or for all users otherwise), the scripts in /home/alice/public_html will be wrapped using suEXEC and run with Alice's user ID resulting in higher security and eliminating the need to make the scripts readable and executable for all users or everyone in the "wwwrun" group (instead only alice herself needs to be able to run the script).