Enable suexec module to allow users to run CGI scripts etc as themselves.
In debian lenny…
a2enmod suexec
/etc/init.d/apache2 reload
apt-get install apache2-suexec
Virtual hosts and the docroot setting
suexec is normally compiled with its docroot set to /var/www, which means it’ll refuse to run any scripts outside of that path. If you’d like script elsewhere, create a directory in /var/www/ and symlink to it.
E.g. to allow each user to maintain their own vhost config and sites within their home directory, you could have the following setup where vhosts/ contains the vhost config files and sites is a symlink to /var/www/theuser:
bpc:/home/steph# ls -l
...
lrwxrwxrwx 1 root root 16 Jan 20 00:40 sites -> /var/www/steph
drwxr-xr-x 2 steph steph 4096 Jan 20 00:41 vhosts
...
bpc:/home/steph# cat vhosts/example
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com example.com
DocumentRoot /home/steph/sites/example
SuexecUserGroup steph steph
</VirtualHost>
bpc:/home/steph# ls -l /var/www/steph/
...
drwxr-xr-x 10 steph steph 4096 Jan 19 17:45 example
Directory permissions (umask)
The AP_SUEXEC_UMASK directive specifies the default umask, i.e. the default permissions received by a new directory created by Apache running suexec.
By default, suexec using a umask of 077, which creates directories with rwx—— permission.
022 is often better, to create directories with rwxr-xr-x permission.
Change suexec settings
E.g. for changing umask setting, but similar is true of any setting.
On Gentoo…
export SUEXEC_UMASK=022 (or set this in /etc/make.conf)
emerge -av apache
or…
EXTRA_ECONF="--with-suexec-umask=022" emerge -av apache
Determine suexec settings
suexec -V
E.g:
bpc steph # suexec -V
-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/apache2/suexec_log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_SUEXEC_UMASK=077
-D AP_UID_MIN=1000
-D AP_USERDIR_SUFFIX="public_html"
