cgi scripts executed as wwrun - suexec
This document (7009339) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 2
SUSE Linux Enterprise Server 11 Service Pack 2
Situation
If users or administrators of Apache need the ability to run CGI and SSI
programs under user IDs different than the user ID of the calling
web server, they can use suEXEC. The module suEXEC lets you run CGI scripts under a different user and group.
"suexec is used by the Apache HTTP Server to
switch to another user before executing CGI programs. In order to
achieve this, it must run as root. Since the HTTP daemon
normally doesn't run as root, the suexec executable needs the
setuid bit set and must be owned by root. It should never be
writable for any other person than root."
suEXEC is a setuid wrapper called by the Apache server. Every time the binary is executed it runs with root privileges. For that to happen the setuid bit needs to be set.
On SUSE Linux Enterprise Server 10 the setuid bit of
/usr/sbin/suexec2 was set by default:
-rwsr-xr-x 1 root root 15984 2011-08-31 16:26
/usr/sbin/suexec2
On SUSE Linux Enterprise Server 11 the setuid bit is no
longer set:
-rwxr-xr-x 1 root root 14944 2011-08-31 16:39
/usr/sbin/suexec2
Resolution
The setuid bit can be enabled locally via /etc/permissions.local.
The file is used for local additions, new file permissions can be set and override
the file permissions as shipped with the OS.
Before those changes are made, the apache suEXEC documentation
should be read first.
The Apache manual, including the suEXEC documentation is either available on-line at apache.org/docs/2.2/suexec.html or after installing the apache2-doc at http://localhost/manual/.
In the document it is mentioned, before beginning to use suEXEC you need to be "... familiar with some basic concepts of your computer's security and its administration. This involves an understanding of setuid/setgid operations and the various effects they may have on your system and its level of security."
The Apache manual, including the suEXEC documentation is either available on-line at apache.org/docs/2.2/suexec.html or after installing the apache2-doc at http://localhost/manual/.
In the document it is mentioned, before beginning to use suEXEC you need to be "... familiar with some basic concepts of your computer's security and its administration. This involves an understanding of setuid/setgid operations and the various effects they may have on your system and its level of security."
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7009339
- Creation Date: 12-Sep-2011
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
