SUSE Support

Here When You Need Us

cgi scripts executed as wwrun - suexec

This document (7009339) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 2

Situation

If users or administrators of Apache need the ability to run CGI and SSI programs under user IDs different than the user ID of the calling web server, they can use suEXEC. The module suEXEC lets you run CGI scripts under a different user and group.

The man page of suexec describes the program as such:

"suexec  is  used by the Apache HTTP Server to switch to another user before executing CGI programs. In order to achieve this, it must run as root. Since the HTTP daemon normally doesn't run as root, the suexec executable needs the setuid bit set and must be owned by root. It should never be writable for any other person than root."

suEXEC is a setuid wrapper called by the Apache server. Every time the binary is executed it runs with root privileges. For that to happen the setuid bit needs to be set.

On SUSE Linux Enterprise Server 10 the setuid bit of /usr/sbin/suexec2 was set by default:
-rwsr-xr-x 1 root root 15984 2011-08-31 16:26 /usr/sbin/suexec2

On  SUSE Linux Enterprise Server 11 the setuid bit is no longer set:
-rwxr-xr-x 1 root root 14944 2011-08-31 16:39 /usr/sbin/suexec2

Resolution

The setuid bit can be enabled locally via /etc/permissions.local. The file is used for local additions, new file permissions can be set and override the file permissions as shipped with the OS. 

Before those changes are made, the apache suEXEC documentation should be read first.
The Apache manual, including the suEXEC documentation is either available on-line at apache.org/docs/2.2/suexec.html or after installing the apache2-doc at http://localhost/manual/.

In the document it is mentioned, before beginning to use suEXEC you need to be "... familiar with some basic concepts of your computer's security and its administration. This involves an understanding of setuid/setgid operations and the various effects they may have on your system and its level of security."

Additional Information


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7009339
  • Creation Date: 12-Sep-2011
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.