How to set up suEXEC in Apache
Since I no longer use Apache for anything this guide is probably outdated please keep that in mind.
Here is a little example of how to setup suEXEC in Apache, feel free to comment and help make it better.
If you see something wrong then please not just post only what is wrong but try and explain it so everyone is able to learn from it.
In this guide I will use the user name “etherus” and the group name “ulyaoth” please change this on your machine to your needs. The ip that I will use in this example is “18.104.22.168” this should be changed to the ip address you are going to use, and as last I used throughout this example the name “ulyaoth” as the website and directory name of course this should be changed to something that will fit for your situation.
This guide was tested and created on Fedora 20.
What is Suexec
Apache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user – normally, all web server processes run as the default web server user (often wwwrun, apache or nobody). The suEXEC feature consists of a module for the web server and a binary executable which acts as a wrapper.
If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.
Before you start you will have to prepare a few things such as you will need to create a user name and a separate group name for every website you plan to add.
Step 1: Create the group “ulyaoth”
$ groupadd ulyaoth
Step 2: Create the user “etherus”
$ useradd -s /sbin/nologin etherus
Step 3: Set a password for the user “etherus”
$ passwd etherus
Step 4: Add the user “etherus” into the group “ulyaoth”
$ useradd -g etherus ulyaoth
This is a very basic user/group creation, and there should be plenty of better examples on google or any other search engine.
Now that we have created the user and placed him in the correct group it is time to create the directories we will need for our website. I will use the standard “www” directory in Fedora for this example however you will not have to do this you are able to create a separate partition and create all the directories there.
Step 5: Create the directory “ulyaoth” inside “/var/www”
$ mkdir -p /var/www/ulyaoth
Step 6: Create the directory “logs” inside “/var/www/ulyaoth/” (This will contain the log files that your website will generates)
$ mkdir -p /var/www/ulyaoth/logs
Step 7: Create the directory “www” inside “/var/www/ulyaoth” (This will contain the directories of your website)
$ mkdir -p /var/www/ulyaoth/www
Step 8: Create the directory “html” inside “/var/www/ulyaoth/www” (This will contain the files for your website)
$ mkdir -p /var/www/ulyaoth/www/html
Step 9: Create the directory “cgi-bin” inside “/var/www/ulyaoth/www” (This will contain any scripts your website will use)
$ mkdir -p /var/www/ulyaoth/www/cgi-bin
This should be all the directories you will need to have to run a website, all that is left now is to change the permission and user/group on those folders.
Step 10: Change the user and group that own the directory “ulyaoth” and all the subdirectories
$ chown -R etherus:ulyaoth /var/www/ulyaoth
Step 11: Change the permission on the ulyaoth directory to 664 and add +x.
$ chmod 664 /var/www/ulyaoth
$ chmod +x /var/www/ulyaoth
Step 12: Change the permission on the logs directory to 664.
$ chmod 664 /var/www/ulyaoth/logs
Step 13: Change the permission on the www directory to 664 and add +x.
$ chmod 664 /var/www/ulyaoth/www
$ chmod +x /var/www/ulyaoth/www
Step 14: Change the permission on the cgi-bin directory to 775 and add +x.
$ chmod 755 /var/www/ulyaoth/www/cgi-bin
$ chmod +x /var/www/ulyaoth/www/cgi-bin
Step 15: Change the permission on the html directory to 664 and add +x.
$ chmod 664 /var/www/ulyaoth/www/html
$ chmod +x /var/www/ulyaoth/www/html
Now that we have prepared everything on the server to accept suEXEC all that is left is editing our httpd.conf so please open this file and add the following into it.
Step 16: Add the code below to your vhost.conf and change everything to your needs.
DirectoryIndex index.html index.html index.shtml index.php
SuexecUserGroup etherus ulyaoth
ServerAdmin [email protected]
CustomLog /var/www/ulyaoth/logs/access_log common
DirectoryIndex index.html index.htm index.shtml index.php
ScriptAlias /cgi-bin/ /var/www/ulyaoth/www/cgi-bin/
Allow from all
AddHandler cgi-script .cgi .pl
Now restart your Apache and you have your website running in suEXEC.
If you run Selinux then errors may arise you probably will have to execute the following commands:
$ chcon -R -t httpd_sys_script_exec_t /var/www/ulyaoth/www/cgi-bin
$ chcon -R -t httpd_log_t /var/www/ulyaoth/logs
$ setsebool -P httpd_enable_cgi=1
$ setsebool -P httpd_can_network_connect=1
$ semanage fcontext -a -t httpd_sys_content_t "/var/www/ulyaoth/www/html(/.*)?"
If you do not have semanage installed you can run the following command on a yum based Linux distro:
$ yum -y install policycoreutils-python
This guide may contain many errors and mistakes, I just did this for learning purpose and sharing this with everyone so maybe someone else is able to learn from it.
Sjir has over 15 years of experience in information technology, having done various positions at companies such as Blizzard Entertainment, TV4, and Basefarm. He now wields multiple security, cloud, and IT certifications he currently works as an information security engineer.