rc3.org

Strong opinions, weakly held

suexec Blows

I couldn’t publish anything yesterday because upgrading Apache (to deal with some security issue) blew up suexec and I couldn’t get it to work again. suexec is an Apache module that you can use to tell the Web server to run its CGI scripts as a user other than the user who owns the Apache process. The idea is that if I own some files on the server but I want to let Apache write to them, rather than using file permissions, I can just configure suexec to run CGI scripts as me, so that then they can write to my files.

Unfortunately, this approach is rife with potential security problems. If suexec were not extremely picky, it would provide a very simple means for people to compromise servers. The bottom line is that for suexec to actually work, about 12 things have to be set up correctly, and about 6 of those things have to be baked into Apache at compile time. I got it to work once, but I wasn’t as lucky the second time.

After wrangling with it off and on for a day, I gave up and just assigned the files in my document root to the www group and then allowed group write access to them. I’m the only user on this server anyway.

1 Comment

  1. I’m a Linux web admin these days but I was an IIS admin for years and this is one of the areas in which I think IIS wins out over Apache. In IIS, you can set virtual servers, particular directories, and even individual files each to run with different user credentials. Setting up security for writable files within a shared hosting environment was totally straightforward, having been baked into the product from the start. Combined with the NTFS ACL filesystem security, you could have an incredible amount of control over how apps were executed and how they were secured.

    Of course, in a lot of other areas Apache wins out. But this is one thing that MS got right from the start.

Leave a Reply

Your email address will not be published.

*

© 2016 rc3.org

Theme by Anders NorenUp ↑