Tiedoston sisältö
Modified Apache2 suEXEC Module Source Files
-------------------------------------------
Author: CSC - Scientific Computing Ltd.
This package contains suEXEC Apache module source code
(http://httpd.apache.org/, http://httpd.apache.org/docs/2.0/suexec.html).
The suEXEC module is licensed under Apache License.
The source files are modified to enable CGI program execution
as an authenticated user.
Installation & Configuration
----------------------------
This covers the build of suexec binary - not the full Apache server.
However, the Apache server can be built at the same time. For this,
see installation instructions from the Apache distribution and take
into account the following instructions. Installation of the suexec
module will require "root" user privileges to the current system.
The build suexec binary should be usable with the Apache distribution
of the current system.
The source files ("suexec.c", "suexec.h") are for Apache 2.x distribution.
To build a modified suexec binary, open "suexec.h" header file with some
text editor, and find the following part of the file:
#ifndef SUCGI_ROOT
#define SUCGI_ROOT "/var/www/cgi-bin"
#endif
Setting "SUCGI_ROOT" defines the location of the installed CGI programs.
Modify the value "/var/www/cgi-bin" to match your Apache system. This
setting will replace the original "AP_DOC_ROOT" setting.
Then download and unpack Apache 2.x distribution. Apache source package of
the current Linux system can also be used. Replace the original files
"suexec.c" and "suexec.h" in support directory with the ones provided in this
package.
Then configure the suexec binary build by submitting command:
./configure --enable-suexec --with-suexec-logfile=path_to_log_file
You should replace "path_to_log_file" with a proper path to desired suEXEC
log file (for example: "/var/www/httpd/suexec.log"). The path should made
to match the log file directory of your Apache system. Note that if your
Apache system runs with different user name than "apache", you must specify
the Apache user by using "--with-suexec-caller" configure flag. See details
with "--help" configure flag, especially if you are compiling the Apache at
the same time.
Then build suexec binary with command:
make suexec
If you are building the whole Apache system, just submit command "make".
After succesful compilation, replace the original suexec binary with
the built suexec binary (the binary is built into support directory
of Apache distribution). Typically suexec binary is located in "/usr/sbin/"
directory (if not, use command "locate suexec" to find the binary). Note
also that in some Linux systems the original binary may be named as "suexec2".
In such case, the built suexec binary must be named according to the original
name. Check also that the suxec binary has setuserid execution bit (chmod u+s)
and the Apache user's group has execution permission to the binary (change
group ownership of the suexec binary, if necessary). If you are building the
whole Apache system, the previous can be skipped. Instead, submit command
"make install" which installs the Apache, including the modified suexec binary.
The file permissions should be checked also in this case.
After installing the compiled binary, test it by submitting command:
./suexec -V
This command outputs the compiled-in settings of the binary. Check that setting
"AP_HTTPD_USER" matches the Apache user of the system. Also verify that setting
"AP_LOG_EXEC" contains the correct and existing path to the log file directory
of the Apache system (the directory must exist, otherwise the binary will not
work).
The modified suEXEC module contains a configuration file "suexec.conf".
An example of "suexec.conf" is provided with this distribution. The
configuration file must be copied to "/etc/" directory. The configuration
file contains the following instructions: "SERVERUID" (uid of the user
running Apache), "HTTPD_USER" (user name of the user running Apache),
"SERVERGID" (gid of the user running Apache), "ALLOWEDGID" (gid of the group
that owns the CGI binaries) and "ALLOWEDUID" (uid of the user that owns
the CGI binaries). The configuration file may contain several "ALLOWEDUID"
instructions to allow several users to maintain the CGI programs.
Note that the CGI program directory ("/var/www/cgi-bin/", etc.) and all
subdirectories and all CGI executables in the directory must have file/group
ownerships set to match "ALLOWEDUID" and "ALLOWEDGID" instructions in "suexec.conf".
In addition the CGI program directory, its subdirectories and the CGI executables
should have read and execution permissions for all. If the permissions are incorrect
the suexec binary will not work. The permissions can set by submitting the following
commands:
chown -R ALLOWEDUID:ALLOWEDGID your_cgi-bin_directory
chmod -R 755 your_cgi-bin_directory
In the previous commands you should replace "ALLOWEDUID" and "ALLOWEDGID" to
match the corresponding values of your "suexec.conf" configuration file and
"your_cgi-bin_directory" should be replaced with the installation location of
CGI programs in your system ("/var/www/cgi-bin/", etc.).
To enable CGI program execution as an authenticated user, the server
configuration file ("httpd.conf", "ssl.conf", etc.) must contain the following
directive:
SuexecUserGroup nobody nobody
The directive instructs the Apache daemon to use suexec binary. The directive
must be placed within "VirtualHost" container. Note that in some Linux distributions
the group of user "nobody" may vary. Check the group with command "id nobody" and
use the correct user/group setting in the "SuexecUserGroup" directive.
The modified suEXEC module should work with any of the typical Apache
authentication modules.
Additional Information
----------------------
For more information, please visit the SOMA2 WWW pages
http://www.csc.fi/soma
Apache server
http://httpd.apache.org/
suEXEC Apache module
http://httpd.apache.org/docs/2.0/suexec.html
Kopioi tiedosto