Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

OT: Experience with suEXEC?

by tadman (Prior)
on Dec 01, 2003 at 19:52 UTC ( [id://311388]=perlquestion: print w/replies, xml ) Need Help??

tadman has asked for the wisdom of the Perl Monks concerning the following question:

In a typical shared server environment, one person's CGI script is pretty much free to access any files that the Apache process has access to. Of course, this is pretty much everything Web-wise, including password files for other sites hosted on the same system.

I'm investigating ways of limiting this access, but so far the only reliable method I've found is the Apache suEXEC feature. It seems well thought out and rather reliable, but examples are limited.

Any suggestions or pointers?

20031201 Edit by BazB: Changed title from 'Experience with suEXEC?'

Replies are listed 'Best First'.
Re: OT: Experience with suEXEC?
by Zaxo (Archbishop) on Dec 01, 2003 at 21:07 UTC

    I have used suEXEC enough that I really miss it when I don't have it. For background, suEXEC runs cgi scripts as their owner, not as the "httpd" or "www" user or as "nobody".

    The greatest benefit is that unix file system security is fully available. A file containing sensitive data can be given 600 mode and the cgi can read it without making it available to the world. Writing to anyplace you own is simplified, and public access is denied.

    Since the cgi programs run as you, you need to be especially cautious about what your programs accept and do. Taint mode is recommended.

    I think you'll find suEXEC a joy to work with.

    After Compline,
    Zaxo

[reply]
      I too have worked with suexec - a little tricky to setup, but once setup works great. Here's a link from Apache's site 
         http://httpd.apache.org/docs-2.0/suexec.html
      What Zaxo says is true - suexec allows your script to run ***as the user who owns the script*** - not as the normal 'apache' (or 'nobody') user. I honestly can't remember what it took (if anything) to get suexec working on my Red Hat Linux 9 system (Apache rpm package httpd-2.0.40-21.5) - I don't think I had to do anything.

      I used suexec to run regular user scripts. For example I added system user 'testuser' whose home directory is /home/testuser. I signed on as 'testuser' and created directory /home/testuser/public_html and put 'testpage.cgi' in there. I made these changes in /etc/httpd/conf/httpd.conf: 
      #
# UserDir: The name of the directory that is appended onto a user's ho
+me
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid.  This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissi
+ons
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    #UserDir disable

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncommen
+t
    # the following line instead:
    #
    UserDir public_html

---------------------------------

And this:

#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory /home/testuser/public_html>
    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

</IfModule>

      [download]
      So, after restarting Apache after making those conf changes, you can browse to 
         http://myserver.com/~testuser/testpage.cgi

      [download]
      and that script will run as system user 'testuser'. The tilda('~') in '~testuser' is what tips off the system to run that script under suexec. So suexec used in this way makes it possible for 'testuser' to make dynamic web pages available while keeping those pages underneath his/her own public_html. Assuming all your system accounts are under /home, to make that possible for all users on that system, just change 
            <Directory /home/testuser/public_html>

   to this

      <Directory /home/*/public_html>

      [download]
      suexec in this case was particularly useful because the web application I created needed access to a PostgreSQL database. The administrator created a postgreSQL user called 'testuser' for me, in addition to the system user 'testuser'. The PostgreSQL authentication was setup such that my scripts needed to run as user 'testuser' in order to have access to the PostgreSQL database that I needed access to. This would not have been possible without suexec.

      HTH.

      Edit by tye, make URL a link

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://311388]
Approved by Itatsumaki
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2024-04-19 21:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found