What is SuExec?
Apache SuExec is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user. Normally, all web server processes run as the default web server user (often apache or nobody)
Presently, suExec does not allow ‘root’ user as well as ‘root’ group to execute CGI/SSI programs because SuExec is basically developed to run CGI and SSI based programs under the specific user ids other then common user name like nobody.
When PHP runs as an Apache module, PHP files work under the Apache user/group known as “nobody”. When a PHP script creates or uploads a new file under your account, the new file will be owned by the user “nobody”. If you FTP or cPanel into your account, all files owned by “nobody” will not be available for you to move, rename or delete. In this case the only way to remove the “nobody” owned files would be through a file on the shell by using root user.
When PHP runs as a CGI with Suexec, PHP files work under your user/group. PHP files no longer require loose permissions to function; now they will require strict permissions. Setting your directories or PHP files to 777 will cause them to produce a “500 Internal Server Error”, this happens to protect your PHP files from being abused by outside sources.
How to check SuExec configured value?
You can run suexec -V on server by using root login details. It will give you following result.
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”
By default following values are used while configuring SuExec.
–enable-suexec
This option enables the suEXEC feature which is never installed or activated by default. At least one –suexec-xxxxx option has to be provided together with the –enable-suexec option to let APACI accept your request for using the suEXEC feature.–with-suexec-docroot=DIR
Define as the DocumentRoot set for Apache. This will be the only directory aside from UserDirs that can be used for SuExec behavior. The default directory is the –datadir value with the suffix “/htdocs”, e.g. if you configure with “–datadir=/var/www” the directory “/var/www/” is used as document root for the SuExec wrapper.–with-suexec-caller=UID
The username under which Apache normally runs. This is the only user allowed to execute this program.
SuExec-gidmin value?
–with-suexec-gidmin=GID
Define this as the lowest GID allowed to be a target group for SuExec. For most servers 100 are common and therefore used as default value. The numerical equivalent of the primary group name which is referenced by the system and applications when determining access privileges. When ever new user accounts are added, the new user accounts are assigned the first available UID and GID starting at 100. The next new user account is assigned UID/GID 101, followed by UID/GID 102, and so on. Because UIDs and GIDs below 100 are reserved for system uses Unlike UID/GID zero (0), UIDs and GIDs below 100 are not treated specially by Server. However, these UIDs/GIDs are never to be assigned to a user, as it is likely that some system component either currently uses or will use these UIDs/GIDs at some point in the future.
SuExec-userdir and SuExec-bin?
–with-suexec-userdir=DIR
Define to be the subdirectory under users’ home directories where SuExec access should be allowed. All executables under this directory will be executable by SuExec as the user so they should be “safe” programs. If you are using a “simple” UserDir directive this should be set to the same value. SuExec will not work properly in cases where the UserDir directive points to a location that is not the same as the user’s home directory as referenced in the passwd file. Default value is “public_html”. If you have virtual hosts with a different UserDir for each, you will need to define them to all reside in one parent directory; then name that parent directory here. If this is not defined properly, “~userdir” cgi requests will not work!
Advantages of SuExec?
This allows processes to run as your own user, rather than the global web server user like nobody.
The advantages are that any files created by your script are owned by your own user, and not a different (web server) user, allowing you to control, remove, add, and edit them via FTP, the control panel, File Manager, web page editor, SSH/shell,
If any abuses, spam, attacks, illicit processes, etc. are easier and more immediately tracked and controlled by using SuExec log files.
Disadvantage of SuExec server?
Security risks involved with allowing users to develop and run private CGI or SSI programs. However, if SuExec is improperly configured, it can cause any number of problems and possibly create new holes in your server’s security
Presently, suExec does not allow root or root group to execute CGI/SSI programs
