lars98/11/12 12:10:52
Modified:htdocs/manual suexec.html
Log:
Finalize my suEXEC/APACI patch...
This is a temporary version. I'll update the paths later based
on what we decide regarding the APACI default paths.
(Any native english speaker is welcome to proofread the text. :-))
Revision ChangesPath
1.22 +133 -161 apache-1.3/htdocs/manual/suexec.html
Index: suexec.html
===
RCS file: /export/home/cvs/apache-1.3/htdocs/manual/suexec.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- suexec.html 1998/09/17 14:52:01 1.21
+++ suexec.html 1998/11/12 20:10:52 1.22
@@ -23,6 +23,7 @@
suEXEC Security Model.
Configuring & Installing suEXEC
Enabling & Disabling suEXEC
+Using suEXEC
Debugging suEXEC
Beware the Jabberwock: Warnings &
Examples
@@ -281,7 +282,7 @@
For more information as to how this security model can limit your
possibilities
in regards to server configuration, as well as what security risks can be
avoided with a proper suEXEC setup, see the
-"Beware the Jabberwock"
+"Beware the Jabberwock"
section of this document.
@@ -291,188 +292,159 @@
Configuring & Installing suEXEC
-Here's where we begin the fun. The configuration and installation of suEXEC
is
-a four step process: edit the suEXEC header file, compile suEXEC, place the
-suEXEC binary in its proper location, and configure Apache for use with
suEXEC.
-
-
-
-EDITING THE SUEXEC HEADER FILE
-- From the top-level of the Apache source tree, type:
-cd support [ENTER]
-
-
-
-Edit the suexec.h file and change the following macros to
-match your local Apache installation.
-
-
-
-From support/suexec.h
+Here's where we begin the fun. If you use Apache 1.2 or prefer to configure
+Apache 1.3 with the "src/Configure" script you have to edit
+the suEXEC header file and install the binary in its proper location
+manually. This procedure is described in an
+extra document.
+The following sections describe the configuration and installation
+for Apache 1.3 with the AutoConf-style interface (APACI).
+
+
+
+APACI's suEXEC configuration options
+
+--enable-suexec
+This option enables the suEXEC feature which is never installed or
+activated by default. At least one --suexec-x option has to be
+provided together with the --enable-suexec option to let APACI
+accept your request for using the suEXEC feature.
+--suexec-caller=UID
+The username under which
+Apache normally runs.
+This is the only user allowed to execute this program.
+--suexec-docroot=DIR
+Define as the DocumentRoot set for Apache.
+This will be the only hierarchy (aside from UserDirs)
+that can be used for suEXEC behavior.
+The default directory is the --datadir value with
+the suffix "/htdocs", e.g. if you configure with
+"--datadir=/home/apache" the directory
+"/home/apache/htdocs" is used as document root for
+the suEXEC wrapper.
+--suexec-logfile=FILE
+This defines the filename to which all suEXEC transactions and
+errors are logged (useful for auditing and debugging purposes).
+By default the logfile is named "suexec_log" and located in your
+standard logfile directory (--logfiledir).
+--suexec-userdir=DIR
+Define to be the subdirectory under users'
+home directories where suEXEC access should
+be allowed. All executables under this directory
+will be executable by suEXEC as the user so
+they should be "safe" programs. If you are
+using a "simple" UserDir directive (ie. one
+without a "*" in it) this should be set to
+the same value. suEXEC will not work properly
+in cases where the UserDir directive points to
+a location that is not the same as the user's
+home directory as referenced in the passwd file.
+Default value is "public_html".
+
+If you have virtual hosts with a different
+UserDir for each, you will need to define them to
+all reside in one parent directory; then name that
+parent directory here. If this is not defined
+properly, "~userdir" cgi requests will not work!
+--suexec-uidmin=UID
+Define this as the lowest UID allowed to be a target user
+for suEXEC. For most systems, 500 or 100 is common.
+Default value is 100.
+--suexec-gidmin=GID
+Define this as the lowest GID allowed to be a target group
+for suEXEC. For most systems, 100 is common and therefore
+used as default value.
+--suexec-safepath=PATH
+Define a safe PATH environment to pass to CGI executables.
+Default value is "/usr/local/bin:/usr/bin:/bin".
+
+
+
+
+Checking your suEXEC setup
+Before you c