cgi scripts executed as wwrun - suexec

  • 7009339
  • 12-Sep-2011
  • 27-Apr-2012

Environment

SUSE Linux Enterprise Server 11 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 2

Situation

If users or administrators of Apache need the ability to run CGI and SSI programs under user IDs different than the user ID of the calling web server, they can use suEXEC. The module suEXEC lets you run CGI scripts under a different user and group.

The man page of suexec describes the program as such:

"suexec  is  used by the Apache HTTP Server to switch to another user before executing CGI programs. In order to achieve this, it must run as root. Since the HTTP daemon normally doesn't run as root, the suexec executable needs the setuid bit set and must be owned by root. It should never be writable for any other person than root."

suEXEC is a setuid wrapper called by the Apache server. Every time the binary is executed it runs with root privileges. For that to happen the setuid bit needs to be set.

On SUSE Linux Enterprise Server 10 the setuid bit of /usr/sbin/suexec2 was set by default:
-rwsr-xr-x 1 root root 15984 2011-08-31 16:26 /usr/sbin/suexec2

On  SUSE Linux Enterprise Server 11 the setuid bit is no longer set:
-rwxr-xr-x 1 root root 14944 2011-08-31 16:39 /usr/sbin/suexec2

Resolution

The setuid bit can be enabled locally via /etc/permissions.local. The file is used for local additions, new file permissions can be set and override the file permissions as shipped with the OS. 

Before those changes are made, the apache suEXEC documentation should be read first.
The Apache manual, including the suEXEC documentation is either available on-line at apache.org/docs/2.2/suexec.html or after installing the apache2-doc at http://localhost/manual/.

In the document it is mentioned, before beginning to use suEXEC you need to be "... familiar with some basic concepts of your computer's security and its administration. This involves an understanding of setuid/setgid operations and the various effects they may have on your system and its level of security."

Feedback service temporarily unavailable. For content questions or problems, please contact Support.