http://httpd.apache.org/docs-2.0/suexec.htmlWhat Zaxo says is true - suexec allows your script to run ***as the user who owns the script*** - not as the normal 'apache' (or 'nobody') user. I honestly can't remember what it took (if anything) to get suexec working on my Red Hat Linux 9 system (Apache rpm package httpd-2.0.40-21.5) - I don't think I had to do anything.
So, after restarting Apache after making those conf changes, you can browse to# # UserDir: The name of the directory that is appended onto a user's ho +me # directory if a ~user request is received. # # The path to the end user account 'public_html' directory must be # accessible to the webserver userid. This usually means that ~userid # must have permissions of 711, ~userid/public_html must have permissi +ons # of 755, and documents contained therein must be world-readable. # Otherwise, the client will only receive a "403 Forbidden" message. # # See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden # <IfModule mod_userdir.c> # # UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions). # #UserDir disable # # To enable requests to /~user/ to serve the user's public_html # directory, remove the "UserDir disable" line above, and uncommen +t # the following line instead: # UserDir public_html --------------------------------- And this: # # Control access to UserDir directories. The following is an example # for a site where these directories are restricted to read-only. # <Directory /home/testuser/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI <Limit GET POST OPTIONS PROPFIND> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS PROPFIND> Order deny,allow Deny from all </LimitExcept> </Directory> </IfModule>
and that script will run as system user 'testuser'. The tilda('~') in '~testuser' is what tips off the system to run that script under suexec. So suexec used in this way makes it possible for 'testuser' to make dynamic web pages available while keeping those pages underneath his/her own public_html. Assuming all your system accounts are under /home, to make that possible for all users on that system, just changehttp://myserver.com/~testuser/testpage.cgi
suexec in this case was particularly useful because the web application I created needed access to a PostgreSQL database. The administrator created a postgreSQL user called 'testuser' for me, in addition to the system user 'testuser'. The PostgreSQL authentication was setup such that my scripts needed to run as user 'testuser' in order to have access to the PostgreSQL database that I needed access to. This would not have been possible without suexec.<Directory /home/testuser/public_html> to this <Directory /home/*/public_html>
Edit by tye, make URL a link
In reply to Re: Re: OT: Experience with suEXEC?
by hmerrill
in thread OT: Experience with suEXEC?
by tadman
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |