suexec

Intro

Apache's suexec helper is pretty much useless on a shared webserver. On such a webserver each customer gets its own virtual user id without a login name as you don't want your customers ssh'ing into your webserver, do you? The original suexec helper requires each user to have a login name and a home directory. Furthermore, each cgi script has to reside in the user's home directory. So I wrote a replacement.

Usage

  1. Make a backup of the original suexec, e.g.
    cp -i suexec suexec.orig
  2. Download and install my suexec:
    tar -xjf suexec-0.1.tar.bz2
    cd suexec-0.1
    make
    sudo make install
    By default, it installs to /usr/local/sbin. Depending on your operating system, you may have to move it to /usr/sbin, /usr/libexec, or so.
  3. Load the suexec module into your httpd, e.g. in httpd.conf:
    LoadModule suexec_module libexec/apache22/mod_suexec.so
  4. Adjust your virtual hosts, e.g.
    <VirtualHost *:80>
        ServerName www.customer1.tld
        DocumentRoot /srv/www/customer1.tld/htdocs
        ScriptAlias /cgi-bin/ /srv/www/customer1.tld/cgi-bin/
        SuexecUserGroup #20000 #20000
        ...
    </VirtualHost>
    <VirtualHost *:80>
        ServerName www.customer2.tld
        DocumentRoot /srv/www/customer2.tld/htdocs
        ScriptAlias /cgi-bin/ /srv/www/customer2.tld/cgi-bin/
        SuexecUserGroup #20001 #20001
        ...
    </VirtualHost>
    ...
    
    This way all scripts on www.customer1.tld are run as uid and gid 20000, whereas all scripts on www.customer2.tld are run as uid and gid 20001. Combine this with proper filesystem permissions and a coherent ProFTPd configuration.

Download