Skip to content

Fully configurable suexec program for Apache 2 mod_suexec

License

Notifications You must be signed in to change notification settings

gerasiov/suexec-conf

Repository files navigation

What is suexec-conf?

Well, apache ships tool called suexec which works together with mod_suexec.
They allow CGI scripts to run as a specified user and group. You can find more
information on

http://httpd.apache.org/docs/current/suexec.html

Original suexec do some strict checks on start up to provide some security.
This checks are really good, but unfortunately the only way you can configure
it - recompile from sources.

Another problem of original suexec is that is requires that running script
should be owned by the same user suexec setuids to. But there are situation,
when you want different users be able to run shared script (owned by root for
security), or you may want to setup wrapper for some file's types (e.g.
/usr/bin/php-cgi for .php) which is common for all users. In such cases
original suexec will not work, but suexec-conf will do.

suexec-conf is the configurable version of classical suexec from apache.

For now it allows you to configure everything, you could configure for
classic suexec on compile time. And it also support always_allow option where
you could list scripts/command which should be owned by root, but not the user
suexec setuids to.

How to compile suexec-conf?

You need libconfuse and docbook-to-man (if you want to build manpage). I am too
lazy to use normal build system, so I wrote simple Makefile. Feel free to port
building to CMake and send me a patch.

Is suexec-conf stable/secure?

Well. It is based on original suexec, which should be called stable and secure.
I think I understand all the checks it does. And try to modify the way it stays
secure. But I can't guarantee it, of course. I'll be glad if someone try to
audit my changes.
As of stability, I don't know exactly right now. Lets see how it will work.
Anyway, if you don't really need suexec-conf and it's features, please use
original suexec from apache distribution.

Are there any speed issues with suexec-conf?

suexec-conf should be a little bit slower, than original suexec. At least it
reads and parses config file on start. But I didn't do any performance tests
yet.

About

Fully configurable suexec program for Apache 2 mod_suexec

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages