lars 98/11/12 12:13:08
Added: htdocs/manual suexec_1_2.html Log: Move 'how to hack suexec.h' text to a new file... Revision Changes Path 1.1 apache-1.3/htdocs/manual/suexec_1_2.html Index: suexec_1_2.html =================================================================== <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <TITLE>Apache suEXEC Support</TITLE> </HEAD> <!-- Background white, links blue (unvisited), navy (visited), red (active) --> <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#000080" ALINK="#FF0000" > <!--#include virtual="header.html" --> <H3><A NAME="install">Configuring & Installing suEXEC</A></H3> <P ALIGN="LEFT"> This section describes the configuration and installation of the suEXEC feature with the "<CODE>src/Configure</CODE>" script. <BR> (If you use Apache 1.3 you may want to use the Apache AutoConf-style interface (APACI) which is described in the <A HREF="suexec.html">main suEXEC document</A>). </P> <P ALIGN="LEFT"> <STRONG>EDITING THE SUEXEC HEADER FILE</STRONG><BR> - From the top-level of the Apache source tree, type: <STRONG><CODE>cd support [ENTER]</CODE></STRONG> </P> <P ALIGN="LEFT"> Edit the <CODE>suexec.h</CODE> file and change the following macros to match your local Apache installation. </P> <P ALIGN="LEFT"> <EM>From support/suexec.h</EM> <PRE> /* * HTTPD_USER -- Define as the username under which Apache normally * runs. This is the only user allowed to execute * this program. */ #define HTTPD_USER "www" /* * UID_MIN -- Define this as the lowest UID allowed to be a target user * for suEXEC. For most systems, 500 or 100 is common. */ #define UID_MIN 100 /* * GID_MIN -- Define this as the lowest GID allowed to be a target group * for suEXEC. For most systems, 100 is common. */ #define GID_MIN 100 /* * USERDIR_SUFFIX -- Define to be the subdirectory under users' * home directories where suEXEC access should * be allowed. All executables under this directory * will be executable by suEXEC as the user so * they should be "safe" programs. If you are * using a "simple" UserDir directive (ie. one * without a "*" in it) this should be set to * the same value. suEXEC will not work properly * in cases where the UserDir directive points to * a location that is not the same as the user's * home directory as referenced in the passwd file. * * If you have VirtualHosts with a different * UserDir for each, you will need to define them to * all reside in one parent directory; then name that * parent directory here. IF THIS IS NOT DEFINED * PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK! * See the suEXEC documentation for more detailed * information. */ #define USERDIR_SUFFIX "public_html" /* * LOG_EXEC -- Define this as a filename if you want all suEXEC * transactions and errors logged for auditing and * debugging purposes. */ #define LOG_EXEC "/usr/local/apache/logs/cgi.log" /* Need me? */ /* * DOC_ROOT -- Define as the DocumentRoot set for Apache. This * will be the only hierarchy (aside from UserDirs) * that can be used for suEXEC behavior. */ #define DOC_ROOT "/usr/local/apache/htdocs" /* * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables. * */ #define SAFE_PATH "/usr/local/bin:/usr/bin:/bin" </PRE> </P> <P ALIGN="LEFT"> <STRONG>COMPILING THE SUEXEC WRAPPER</STRONG><BR> You now need to compile the suEXEC wrapper. At the shell command prompt, after compiling Apache, type: <STRONG><CODE>make suexec[ENTER]</CODE></STRONG>. This should create the <STRONG><EM>suexec</EM></STRONG> wrapper executable. </P> <P ALIGN="LEFT"> <STRONG>COMPILING APACHE FOR USE WITH SUEXEC</STRONG><BR> By default, Apache is compiled to look for the suEXEC wrapper in the following location. </P> <P ALIGN="LEFT"> <EM>From src/include/httpd.h</EM> <PRE> /* The path to the suExec wrapper, can be overridden in Configuration */ #ifndef SUEXEC_BIN #define SUEXEC_BIN HTTPD_ROOT "/sbin/suexec" #endif </PRE> </P> <P ALIGN="LEFT"> If your installation requires location of the wrapper program in a different directory, either add <CODE>-DSUEXEC_BIN=\"<EM></your/path/to/suexec></EM>\"</CODE> to your CFLAGS (or edit src/include/httpd.h) and recompile your Apache server. See <A HREF="install.html">Compiling and Installing Apache</A> (and the <SAMP>INSTALL</SAMP> file in the source distribution) for more info on this process. </P> <P ALIGN="LEFT"> <STRONG>COPYING THE SUEXEC BINARY TO ITS PROPER LOCATION</STRONG><BR> Copy the <STRONG><EM>suexec</EM></STRONG> executable created in the exercise above to the defined location for <STRONG>SUEXEC_BIN</STRONG>. </P> <P ALIGN="LEFT"> <STRONG><CODE>cp suexec /usr/local/apache/sbin/suexec [ENTER]</CODE></STRONG> </P> <P ALIGN="LEFT"> In order for the wrapper to set the user ID, it must be installed as owner <STRONG><EM>root</EM></STRONG> and must have the setuserid execution bit set for file modes. If you are not running a <STRONG><EM>root</EM></STRONG> user shell, do so now and execute the following commands. </P> <P ALIGN="LEFT"> <STRONG><CODE>chown root /usr/local/apache/sbin/suexec [ENTER]</CODE></STRONG> <BR> <STRONG><CODE>chmod 4711 /usr/local/apache/sbin/suexec [ENTER]</CODE></STRONG> </P> <H3><A NAME="enable">Enabling & Disabling suEXEC</A></H3> <P ALIGN="LEFT"> After properly installing the <STRONG>suexec</STRONG> wrapper executable, you must kill and restart the Apache server. A simple <STRONG><CODE>kill -1 `cat httpd.pid`</CODE></STRONG> will not be enough. Upon startup of the web-server, if Apache finds a properly configured <STRONG>suexec</STRONG> wrapper, it will print the following message to the console (Apache 1.2): <PRE> Configuring Apache for use with suexec wrapper. </PRE> If you use Apache 1.3 the following message is printed to the error log: <PRE> [notice] suEXEC mechanism enabled (wrapper: <I>/path/to/suexec</I>) </PRE> </P> <P ALIGN="LEFT"> If you don't see this message at server startup, the server is most likely not finding the wrapper program where it expects it, or the executable is not installed <STRONG><EM>setuid root</EM></STRONG>. Check your installation and try again. </P> <P ALIGN="CENTER"> <STRONG><A HREF="suexec.html">BACK TO MAIN PAGE</A></STRONG> </P> <!--#include virtual="footer.html" --> </BODY> </HTML>