SuExec notes

Enable suexec module to allow users to run CGI scripts etc as themselves.

In debian lenny…

a2enmod suexec
/etc/init.d/apache2 reload
apt-get install apache2-suexec

Virtual hosts and the docroot setting

suexec is normally compiled with its docroot set to /var/www, which means it’ll refuse to run any scripts outside of that path. If you’d like script elsewhere, create a directory in /var/www/ and symlink to it.

E.g. to allow each user to maintain their own vhost config and sites within their home directory, you could have the following setup where vhosts/ contains the vhost config files and sites is a symlink to /var/www/theuser:

bpc:/home/steph# ls -l
lrwxrwxrwx 1 root  root      16 Jan 20 00:40 sites -> /var/www/steph
drwxr-xr-x 2 steph steph   4096 Jan 20 00:41 vhosts
bpc:/home/steph# cat vhosts/example
<VirtualHost *:80>
	DocumentRoot /home/steph/sites/example
	SuexecUserGroup steph steph
bpc:/home/steph# ls -l /var/www/steph/
drwxr-xr-x 10 steph steph 4096 Jan 19 17:45 example

You can see what the docroot is set to via suexec -V.

Directory permissions (umask)

The AP_SUEXEC_UMASK directive specifies the default umask, i.e. the default permissions received by a new directory created by Apache running suexec.

By default, suexec using a umask of 077, which creates directories with rwx—— permission.

022 is often better, to create directories with rwxr-xr-x permission.

Change suexec settings (on Gentoo)

On Gentoo you can change the suexec settings that are used when apache is compiled.

E.g. for changing umask setting, but similar is true of any setting.

export SUEXEC_UMASK=022 (or set this in /etc/make.conf)
emerge -av apache


EXTRA_ECONF="--with-suexec-umask=022" emerge -av apache

Or you could change the docroot:

export SUEXEC_DOCROOT=/home

Available environment variables are as follows:

You can manipulate several configure options of suexec
through the following environment variables:

 SUEXEC_SAFEPATH: Default PATH for suexec (default: /usr/local/bin:/usr/bin:/bin)
  SUEXEC_LOGFILE: Path to the suexec logfile (default: /var/log/apache2/suexec_log)
   SUEXEC_CALLER: Name of the user Apache is running as (default: apache)
  SUEXEC_DOCROOT: Directory in which suexec will run scripts (default: /var/www)
   SUEXEC_MINUID: Minimum UID, which is allowed to run scripts via suexec (default: 1000)
   SUEXEC_MINGID: Minimum GID, which is allowed to run scripts via suexec (default: 100)
  SUEXEC_USERDIR: User subdirectories (like /home/user/html) (default: public_html)
    SUEXEC_UMASK: Umask for the suexec process (default: 077)

I couldn’t find this information in any documentation other than the .elog that is written to the /var/log/portage/elog directory after apache is installed (in /var/log/portage/elog/www-servers:apache-2.4.4:20130305-004528.log or similar). This is a bit annoying, given that you need the options before compilation. It may be that you can generate the log without installing, but I don’t know how to do this.

Reference: suexec AP_DOC_ROOT Path on gentoo

Determine suexec settings

suexec -V


bpc steph # suexec -V
 -D AP_DOC_ROOT="/home"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=1000
 -D AP_USERDIR_SUFFIX="public_html"

Last modified: 19/10/2015 Tags: ,

Related Pages

Other pages possibly of interest:

This website is a personal resource. Nothing here is guaranteed correct or complete, so use at your own risk and try not to delete the Internet. -Stephan

Site Info

Privacy policy

Go to top