-
Notifications
You must be signed in to change notification settings - Fork 3
Fully configurable suexec program for Apache 2 mod_suexec
License
gerasiov/suexec-conf
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
What is suexec-conf? Well, apache ships tool called suexec which works together with mod_suexec. They allow CGI scripts to run as a specified user and group. You can find more information on http://httpd.apache.org/docs/current/suexec.html Original suexec do some strict checks on start up to provide some security. This checks are really good, but unfortunately the only way you can configure it - recompile from sources. Another problem of original suexec is that is requires that running script should be owned by the same user suexec setuids to. But there are situation, when you want different users be able to run shared script (owned by root for security), or you may want to setup wrapper for some file's types (e.g. /usr/bin/php-cgi for .php) which is common for all users. In such cases original suexec will not work, but suexec-conf will do. suexec-conf is the configurable version of classical suexec from apache. For now it allows you to configure everything, you could configure for classic suexec on compile time. And it also support always_allow option where you could list scripts/command which should be owned by root, but not the user suexec setuids to. How to compile suexec-conf? You need libconfuse and docbook-to-man (if you want to build manpage). I am too lazy to use normal build system, so I wrote simple Makefile. Feel free to port building to CMake and send me a patch. Is suexec-conf stable/secure? Well. It is based on original suexec, which should be called stable and secure. I think I understand all the checks it does. And try to modify the way it stays secure. But I can't guarantee it, of course. I'll be glad if someone try to audit my changes. As of stability, I don't know exactly right now. Lets see how it will work. Anyway, if you don't really need suexec-conf and it's features, please use original suexec from apache distribution. Are there any speed issues with suexec-conf? suexec-conf should be a little bit slower, than original suexec. At least it reads and parses config file on start. But I didn't do any performance tests yet.
About
Fully configurable suexec program for Apache 2 mod_suexec
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published