Tutorials

How to set up suEXEC in Apache

Since I no longer use Apache for anything this guide is probably outdated please keep that in mind.

Here is a little example of how to setup suEXEC in Apache, feel free to comment and help make it better.
If you see something wrong then please not just post only what is wrong but try and explain it so everyone is able to learn from it.

In this guide I will use the user name “etherus” and the group name “ulyaoth” please change this on your machine to your needs. The ip that I will use in this example is “1.1.1.1” this should be changed to the ip address you are going to use, and as last I used throughout this example the name “ulyaoth” as the website and directory name of course this should be changed to something that will fit for your situation.

This guide was tested and created on Fedora 20.

What is Suexec
Apache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user – normally, all web server processes run as the default web server user (often wwwrun, apache or nobody). The suEXEC feature consists of a module for the web server and a binary executable which acts as a wrapper.

If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.

More information can be found at the following websites:
suEXEC 2.4 Documentation
suEXEC 2.2 Documentation
suEXEC 1.3 Documentation
suEXEC wikipedia

Before you start you will have to prepare a few things such as you will need to create a user name and a separate group name for every website you plan to add.

Step 1: Create the group “ulyaoth”

$ groupadd ulyaoth

Step 2: Create the user “etherus”

$ useradd -s /sbin/nologin etherus

Step 3: Set a password for the user “etherus”

$ passwd etherus

Step 4: Add the user “etherus” into the group “ulyaoth”

$ useradd -g etherus ulyaoth

This is a very basic user/group creation, and there should be plenty of better examples on google or any other search engine.

Now that we have created the user and placed him in the correct group it is time to create the directories we will need for our website. I will use the standard “www” directory in Fedora for this example however you will not have to do this you are able to create a separate partition and create all the directories there.

Step 5: Create the directory “ulyaoth” inside “/var/www”

$ mkdir -p /var/www/ulyaoth

Step 6: Create the directory “logs” inside “/var/www/ulyaoth/” (This will contain the log files that your website will generates)

$ mkdir -p /var/www/ulyaoth/logs

Step 7: Create the directory “www” inside “/var/www/ulyaoth” (This will contain the directories of your website)

$ mkdir -p /var/www/ulyaoth/www

Step 8: Create the directory “html” inside “/var/www/ulyaoth/www” (This will contain the files for your website)

$ mkdir -p /var/www/ulyaoth/www/html

Step 9: Create the directory “cgi-bin” inside “/var/www/ulyaoth/www” (This will contain any scripts your website will use)

$ mkdir -p /var/www/ulyaoth/www/cgi-bin

This should be all the directories you will need to have to run a website, all that is left now is to change the permission and user/group on those folders.

Step 10: Change the user and group that own the directory “ulyaoth” and all the subdirectories

$ chown -R etherus:ulyaoth /var/www/ulyaoth

Step 11: Change the permission on the ulyaoth directory to 664 and add +x.

$ chmod 664 /var/www/ulyaoth
$ chmod +x /var/www/ulyaoth

Step 12: Change the permission on the logs directory to 664.

$ chmod 664 /var/www/ulyaoth/logs

Step 13: Change the permission on the www directory to 664 and add +x.

$ chmod 664 /var/www/ulyaoth/www
$ chmod +x /var/www/ulyaoth/www

Step 14: Change the permission on the cgi-bin directory to 775 and add +x.

$ chmod 755 /var/www/ulyaoth/www/cgi-bin
$ chmod +x /var/www/ulyaoth/www/cgi-bin

Step 15: Change the permission on the html directory to 664 and add +x.

$ chmod 664 /var/www/ulyaoth/www/html
$ chmod +x /var/www/ulyaoth/www/html

Now that we have prepared everything on the server to accept suEXEC all that is left is editing our httpd.conf so please open this file and add the following into it.

Step 16: Add the code below to your vhost.conf and change everything to your needs.

ServerName Ulyaoth
DocumentRoot /var/www/html
DirectoryIndex index.html index.html index.shtml index.php
SuexecUserGroup etherus ulyaoth
ServerAdmin [email protected]
ServerName ulyaoth.asia
ServerAlias www.ulyaoth.asia
DocumentRoot /var/www/ulyaoth/www/html
ErrorLog /var/www/ulyaoth/logs/error_log
CustomLog /var/www/ulyaoth/logs/access_log common
DirectoryIndex index.html index.htm index.shtml index.php

ScriptAlias /cgi-bin/ /var/www/ulyaoth/www/cgi-bin/

AllowOverride none
Order allow,deny
Allow from all
Options +execCGI
AddHandler cgi-script .cgi .pl

Now restart your Apache and you have your website running in suEXEC.

Problems:
If you run Selinux then errors may arise you probably will have to execute the following commands:

$ chcon -R -t httpd_sys_script_exec_t /var/www/ulyaoth/www/cgi-bin
$ chcon -R -t httpd_log_t /var/www/ulyaoth/logs
$ setsebool -P httpd_enable_cgi=1
$ setsebool -P httpd_can_network_connect=1
$ semanage fcontext -a -t httpd_sys_content_t "/var/www/ulyaoth/www/html(/.*)?"

If you do not have semanage installed you can run the following command on a yum based Linux distro:

$ yum -y install policycoreutils-python

This guide may contain many errors and mistakes, I just did this for learning purpose and sharing this with everyone so maybe someone else is able to learn from it.

Related posts

How to create a high availability Grafana 5.3 environment in AWS OpsWorks

Sjir Akimori-Bagmeijer

How to install Logstash 1.4 with Kibana 3 on Fedora

Sjir Akimori-Bagmeijer

SSH into a VirtualBox Linux guest from your host

Sjir Akimori-Bagmeijer