Recipe 8.12 Running CGI Scripts as a Different User with suexec

Problem

You want to have CGI programs executed by some user other than nobody. For example, you may have a database that is not accessible to anyone except a particular user, so the server needs to temporarily assume that user's identity to access it.

Solution

When building Apache, enable suexec by passing the —enable-suexec argument to configure.

Then, in a virtual host section, specify which user and group you'd like to use to run CGI programs:

User rbowen
Group users

Also, suexec will be invoked for any CGI programs run out of username-type URLs for the affected virtual host.

Discussion

The suexec wrapper is a suid (runs as the user ID of the user that owns the file) program that allows you to run CGI programs as any user you specify, rather than as the nobody user which Apache runs as. suexec is a standard part of Apache and is enabled by default.

The suexec concept does not fit well into the Windows environment, and so suexec is not available under Windows.

When suexec is installed, there are two different ways that it can be invoked, as shown in the Solution.

A User and Group directive may be specified in a VirtualHost container, and all CGI programs executed within the context of that virtual host are executed as that user and group. Note that this only applies to CGI programs. Documents are still accessed as the user and group specified in the User and Group directives in the main server configuration, not those in the virtual host, and need to be readable by that user and group.

Second, any CGI program run out of a UserDir directory is run with the permissions of the owner of that directory. That is, if a CGI program is accessed via the URL http://example.com/~rbowen/cgi-bin/test.cgi, then that program will be executed, via suexec, with a userid of rbowen, and a groupid of rbowen's primary group.

If UserDir points to a nonstandard location, you must tell suexec about this when you build it. In a default configuration, suexec is invoked when CGI programs are invoked in a directory such as /home/username/public_html/ for some username. If, however, you move the UserDir directory somewhere else, such as, for example, /home/username/www/, then you could configure suexec to be invoked in that directory instead, using the following argument when you build Apache 1.3: --suexec-userdir=www And, for Apache 2.0, you would specify the following: --with-suexec-userdir=www

Running CGI programs via suexec eliminates some of the security concerns surrounding CGI programs. By default, CGI programs run with the permissions of the user and group specified in the User and Group directives, meaning that they have rather limited ability to do any damage. However, it also means that CGI programs on one part of your web server run with all the same permissions as those on another part of your server, and any files that are created or modified by one will be modifiable by another.

By running a CGI program under suexec, you allow each user to exercise a little more control over her own file permissions, and in the event that a malicious CGI program is written, it can only damage the files owned by the user in question, rather than having free rein over the entire web server.

In Apache 2.0, the perchild MPM may largely do away with the need for suexec, but, as of this writing, perchild does not work correctly.

PHP scripts that are run as CGI programs, rather than under the mod_php handler, may be run as suexec processes in the same way as any other CGI program.

See Also

• User directive at http://httpd.apache.org/docs/mod/core.html#user or http://httpd.apache.org/docs-2.0/mod/core.html#user

• Group directive at http://httpd.apache.org/docs/mod/core.html#group or http://httpd.apache.org/docs-2.0/mod/mpm_common.html#group

• The suexec documentation at http://httpd.apache.org/docs/programs/suexec.html or http://httpd.apache.org/docs-2.0/programs/suexec.html