I initially opened a bug for this downstream (See Fedora #523903[1]), but the Fedora mod_fcgid maintainer Paul suggested I open up the discussion here.
I was recently working on configuring some of my servers to use the worker MPM instead of prefork to be able to handle more concurrent connections without additional memory. Some of these servers use PHP, and it's well known that PHP is not very thread-safe so I started using mod_fcgid to handle PHP scripts. This worked great until I started testing PHP scripts in UserDirs, when suEXEC would then prevent the scripts from running since my FCGIWrapper is set to /usr/bin/php-cgi and that script isn't in the UserDir or owned by the user. After additional reading on suEXEC, I renamed the suexec binary to disable suEXEC, but this has the drawback that if the httpd package is updated, the binary will come back, too and re-enable suEXEC on the next httpd restart. I did some searching and found this post on the old mod_cgid lists where a user had the same problem and suggested (along with a patch) adding a configuration flag for mod_fcgid to disable suEXEC [2]. While a configuration flag like that would indeed fix my issue, I'm not convinced it's the right approach to this issue. Other possible solutions I had thought of: * Since Fedora (looks like RHEL does, too) compiles in suEXEC support and the recommended way to disable suEXEC support is to change the perms or delete the suexec binary, make suEXEC support a configuration/startup value and edit the startup scripts to do finagle the suexec binary before starting up Apache. * Introduce a global "SuExecDisable" setting that will disable SuExec in that configuration context. * Go with a mod_fcgid specific SuExec disable setting as mentioned earlier. Thoughts? -Dave [1] https://bugzilla.redhat.com/show_bug.cgi?id=523903 [2] http://www.mail-archive.com/mod-fcgid-us...@lists.sourceforge.net/msg00154.html