I too have worked with suexec - a little tricky to setup, but once setup works great. Here's a link from Apache's site
http://httpd.apache.org/docs-2.0/suexec.html
What Zaxo says is true - suexec allows your script to run ***as the user who owns the script*** - not as the normal 'apache' (or 'nobody') user. I honestly can't remember what it took (if anything) to get suexec working on my Red Hat Linux 9 system (Apache rpm package httpd-2.0.40-21.5) - I don't think I had to do anything.
I used suexec to run regular user scripts. For example I added system user 'testuser' whose home directory is /home/testuser. I signed on as 'testuser' and created directory /home/testuser/public_html and put 'testpage.cgi' in there. I made these changes in /etc/httpd/conf/httpd.conf:
#
# UserDir: The name of the directory that is appended onto a user's ho
+me
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissi
+ons
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disable
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncommen
+t
# the following line instead:
#
UserDir public_html
---------------------------------
And this:
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory /home/testuser/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
</IfModule>
So, after restarting Apache after making those conf changes, you can browse to
http://myserver.com/~testuser/testpage.cgi
and that script will run as system user 'testuser'. The tilda('~') in '~testuser' is what tips off the system to run that script under suexec. So suexec used in this way makes it possible for 'testuser' to make dynamic web pages available while keeping those pages underneath his/her own public_html. Assuming all your system accounts are under /home, to make that possible for all users on that system, just change
<Directory /home/testuser/public_html>
to this
<Directory /home/*/public_html>
suexec in this case was particularly useful because the web application I created needed access to a PostgreSQL database. The administrator created a postgreSQL user called 'testuser' for me, in addition to the system user 'testuser'. The PostgreSQL authentication was setup such that my scripts needed to run as user 'testuser' in order to have access to the PostgreSQL database that I needed access to. This would not have been possible without suexec.
HTH.
Edit by tye, make URL a link |