You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ni...@apache.org on 2008/09/24 01:09:50 UTC
svn commit: r698397 - /httpd/httpd/branches/2.0.x/docs/manual/suexec.xml
Author: nilgun
Date: Tue Sep 23 16:09:50 2008
New Revision: 698397
URL: http://svn.apache.org/viewvc?rev=698397&view=rev
Log:
pre-translation improvements
Modified:
httpd/httpd/branches/2.0.x/docs/manual/suexec.xml
Modified: httpd/httpd/branches/2.0.x/docs/manual/suexec.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/suexec.xml?rev=698397&r1=698396&r2=698397&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/suexec.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/suexec.xml Tue Sep 23 16:09:50 2008
@@ -29,7 +29,7 @@
Apache users the ability
to run <strong>CGI</strong> and <strong>SSI</strong> programs
under user IDs different from the user ID of the calling
- web-server. Normally, when a CGI or SSI program executes, it
+ web server. Normally, when a CGI or SSI program executes, it
runs as the same user who is running the web server.</p>
<p>Used properly, this feature can reduce
@@ -115,7 +115,7 @@
<ol>
<li>
<strong>Is the user executing this wrapper a valid user of
- this system?</strong>
+ this system?</strong>
<p class="indent">
This is to ensure that the user executing the wrapper is
@@ -125,7 +125,7 @@
<li>
<strong>Was the wrapper called with the proper number of
- arguments?</strong>
+ arguments?</strong>
<p class="indent">
The wrapper will only execute if it is given the proper
@@ -139,7 +139,7 @@
<li>
<strong>Is this valid user allowed to run the
- wrapper?</strong>
+ wrapper?</strong>
<p class="indent">
Is this user the user allowed to run this wrapper? Only
@@ -150,7 +150,7 @@
<li>
<strong>Does the target CGI or SSI program have an unsafe
- hierarchical reference?</strong>
+ hierarchical reference?</strong>
<p class="indent">
Does the target CGI or SSI program's path contain a leading
@@ -162,7 +162,7 @@
</li>
<li>
- <strong>Is the target user name valid?</strong>
+ <strong>Is the target user name valid?</strong>
<p class="indent">
Does the target user exist?
@@ -170,7 +170,7 @@
</li>
<li>
- <strong>Is the target group name valid?</strong>
+ <strong>Is the target group name valid?</strong>
<p class="indent">
Does the target group exist?
@@ -189,7 +189,7 @@
<li>
<strong>Is the target userid <em>ABOVE</em> the minimum ID
- number?</strong>
+ number?</strong>
<p class="indent">
The minimum user ID number is specified during
@@ -201,7 +201,7 @@
<li>
<strong>Is the target group <em>NOT</em> the superuser
- group?</strong>
+ group?</strong>
<p class="indent">
Presently, suEXEC does not allow the <code><em>root</em></code>
@@ -211,7 +211,7 @@
<li>
<strong>Is the target groupid <em>ABOVE</em> the minimum ID
- number?</strong>
+ number?</strong>
<p class="indent">
The minimum group ID number is specified during
@@ -223,7 +223,7 @@
<li>
<strong>Can the wrapper successfully become the target user
- and group?</strong>
+ and group?</strong>
<p class="indent">
Here is where the program becomes the target user and
@@ -245,12 +245,13 @@
<li>
<strong>Is the directory within the Apache
- webspace?</strong>
+ webspace?</strong>
<p class="indent">
If the request is for a regular portion of the server, is
the requested directory within suEXEC's document root? If
- the request is for a UserDir, is the requested directory
+ the request is for a <directive module="mod_userdir"
+ >UserDir</directive>, is the requested directory
within the directory configured as suEXEC's userdir (see
<a href="#install">suEXEC's configuration options</a>)?
</p>
@@ -258,7 +259,7 @@
<li>
<strong>Is the directory <em>NOT</em> writable by anyone
- else?</strong>
+ else?</strong>
<p class="indent">
We don't want to open up the directory to others; only
@@ -268,7 +269,7 @@
</li>
<li>
- <strong>Does the target CGI/SSI program exist?</strong>
+ <strong>Does the target CGI/SSI program exist?</strong>
<p class="indent">
If it doesn't exists, it can't very well be executed.
@@ -277,7 +278,7 @@
<li>
<strong>Is the target CGI/SSI program <em>NOT</em> writable
- by anyone else?</strong>
+ by anyone else?</strong>
<p class="indent">
We don't want to give anyone other than the owner the
@@ -287,7 +288,7 @@
<li>
<strong>Is the target CGI/SSI program <em>NOT</em> setuid or
- setgid?</strong>
+ setgid?</strong>
<p class="indent">
We do not want to execute programs that will then change
@@ -297,7 +298,7 @@
<li>
<strong>Is the target user/group the same as the program's
- user/group?</strong>
+ user/group?</strong>
<p class="indent">
Is the user the owner of the file?
@@ -306,7 +307,7 @@
<li>
<strong>Can we successfully clean the process environment
- to ensure safe operations?</strong>
+ to ensure safe operations?</strong>
<p class="indent">
suEXEC cleans the process' environment by establishing a
@@ -319,7 +320,7 @@
<li>
<strong>Can we successfully become the target CGI/SSI program
- and execute?</strong>
+ and execute?</strong>
<p class="indent">
Here is where suEXEC ends and the target CGI/SSI program begins.
@@ -378,13 +379,15 @@
directories where suEXEC access should be allowed. All
executables under this directory will be executable by suEXEC
as the user so they should be "safe" programs. If you are
- using a "simple" UserDir directive (ie. one without a "*" in
- it) this should be set to the same value. suEXEC will not
- work properly in cases where the UserDir directive points to
+ using a "simple" <directive module="mod_userdir">UserDir</directive>
+ directive (ie. one without a "*" in it) this should be set to the same
+ value. suEXEC will not work properly in cases where the <directive
+ module="mod_userdir">UserDir</directive> directive points to
a location that is not the same as the user's home directory
- as referenced in the passwd file. Default value is
- "public_html".<br />
- If you have virtual hosts with a different UserDir for each,
+ as referenced in the <code>passwd</code> file. Default value is
+ "<code>public_html</code>".<br />
+ If you have virtual hosts with a different <directive
+ module="mod_userdir">UserDir</directive> for each,
you will need to define them to all reside in one parent
directory; then name that parent directory here. <strong>If
this is not defined properly, "~userdir" cgi requests will
@@ -393,12 +396,13 @@
<dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>
<dd>Define as the DocumentRoot set for Apache. This will be
- the only hierarchy (aside from UserDirs) that can be used for
- suEXEC behavior. The default directory is the <code>--datadir</code>
- value with the suffix "/htdocs", <em>e.g.</em> if you configure
- with "<code>--datadir=/home/apache</code>" the directory
- "/home/apache/htdocs" is used as document root for the suEXEC
- wrapper.</dd>
+ the only hierarchy (aside from <directive module="mod_userdir"
+ >UserDir</directive>s) that can be used for suEXEC behavior. The
+ default directory is the <code>--datadir</code> value with the suffix
+ "<code>/htdocs</code>", <em>e.g.</em> if you configure with
+ "<code>--datadir=/home/apache</code>" the directory
+ "<code>/home/apache/htdocs</code>" is used as document root for the
+ suEXEC wrapper.</dd>
<dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>
@@ -417,63 +421,71 @@
<dd>This defines the filename to which all suEXEC
transactions and errors are logged (useful for auditing and
debugging purposes). By default the logfile is named
- "suexec_log" and located in your standard logfile directory
- (<code>--logfiledir</code>).</dd>
+ "<code>suexec_log</code>" and located in your standard logfile
+ directory (<code>--logfiledir</code>).</dd>
<dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
<dd>Define a safe PATH environment to pass to CGI
executables. Default value is
- "/usr/local/bin:/usr/bin:/bin".</dd>
+ "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>
</dl>
- <p><strong>Compiling and installing the suEXEC
- wrapper</strong><br />
- If you have enabled the suEXEC feature with the
- <code>--enable-suexec</code> option the <code>suexec</code> binary
- (together with Apache itself) is automatically built if you execute
- the <code>make</code> command.<br />
- After all components have been built you can execute the
- command <code>make install</code> to install them. The binary image
- <code>suexec</code> is installed in the directory defined by the
- <code>--sbindir</code> option. The default location is
- "/usr/local/apache2/bin/suexec".<br />
- Please note that you need <strong><em>root
- privileges</em></strong> for the installation step. In order
- for the wrapper to set the user ID, it must be installed as
- owner <code><em>root</em></code> and must have the setuserid
- execution bit set for file modes.</p>
-
- <p><strong>Setting paranoid permissions</strong><br />
- Although the suEXEC wrapper will check to ensure that its
- caller is the correct user as specified with the
- <code>--with-suexec-caller</code> <program>configure</program>
- option, there is
- always the possibility that a system or library call suEXEC uses
- before this check may be exploitable on your system. To counter
- this, and because it is best-practise in general, you should use
- filesystem permissions to ensure that only the group Apache
- runs as may execute suEXEC.</p>
+ <section>
+ <title>Compiling and installing the suEXEC wrapper</title>
- <p>If for example, your web-server is configured to run as:</p>
-
-<example>
- User www<br />
- Group webgroup<br />
-</example>
-
- <p>and <program>suexec</program> is installed at
- "/usr/local/apache2/bin/suexec", you should run:</p>
-
-<example>
- chgrp webgroup /usr/local/apache2/bin/suexec<br />
- chmod 4750 /usr/local/apache2/bin/suexec<br />
-</example>
-
- <p>This will ensure that only the group Apache runs as can even
- execute the suEXEC wrapper.</p>
+ <p>If you have enabled the suEXEC feature with the
+ <code>--enable-suexec</code> option the <code>suexec</code> binary
+ (together with Apache itself) is automatically built if you execute
+ the <code>make</code> command.</p>
+
+ <p>After all components have been built you can execute the
+ command <code>make install</code> to install them. The binary image
+ <code>suexec</code> is installed in the directory defined by the
+ <code>--sbindir</code> option. The default location is
+ "/usr/local/apache2/bin/suexec".</p>
+
+ <p>Please note that you need <strong><em>root
+ privileges</em></strong> for the installation step. In order
+ for the wrapper to set the user ID, it must be installed as
+ owner <code><em>root</em></code> and must have the setuserid
+ execution bit set for file modes.</p>
+ </section>
+
+ <section>
+ <title>Setting paranoid permissions</title>
+
+ <p>Although the suEXEC wrapper will check to ensure that its
+ caller is the correct user as specified with the
+ <code>--with-suexec-caller</code> <program>configure</program>
+ option, there is
+ always the possibility that a system or library call suEXEC uses
+ before this check may be exploitable on your system. To counter
+ this, and because it is best-practise in general, you should use
+ filesystem permissions to ensure that only the group Apache
+ runs as may execute suEXEC.</p>
+
+ <p>If for example, your web server is configured to run as:</p>
+
+ <example>
+ User www<br />
+ Group webgroup<br />
+ </example>
+
+ <p>and <program>suexec</program> is installed at
+ "/usr/local/apache2/bin/suexec", you should run:</p>
+
+ <example>
+ chgrp webgroup /usr/local/apache2/bin/suexec<br />
+ chmod 4750 /usr/local/apache2/bin/suexec<br />
+ </example>
+
+ <p>This will ensure that only the group Apache runs as can even
+ execute the suEXEC wrapper.</p>
+ </section>
</section>
+
<section id="enable"><title>Enabling & Disabling
suEXEC</title>
@@ -556,7 +568,7 @@
<li><strong>suEXEC Points Of Interest</strong></li>
<li>
- Hierarchy limitations
+ Hierarchy limitations
<p class="indent">
For security and efficiency reasons, all suEXEC requests
@@ -571,7 +583,7 @@
</li>
<li>
- suEXEC's PATH environment variable
+ suEXEC's PATH environment variable
<p class="indent">
This can be a dangerous thing to change. Make certain
@@ -583,7 +595,7 @@
</li>
<li>
- Altering the suEXEC code
+ Altering the suEXEC code
<p class="indent">
Again, this can cause <strong>Big Trouble</strong> if you