Enable suexec module to allow users to run CGI scripts etc as themselves.
In debian lenny…
a2enmod suexec
/etc/init.d/apache2 reload
apt-get install apache2-suexec
Virtual hosts and the docroot setting
suexec is normally compiled with its docroot set to /var/www, which means it’ll refuse to run any scripts outside of that path. If you’d like script elsewhere, create a directory in /var/www/ and symlink to it.
E.g. to allow each user to maintain their own vhost config and sites within their home directory, you could have the following setup where vhosts/ contains the vhost config files and sites is a symlink to /var/www/theuser:
bpc:/home/steph# ls -l
...
lrwxrwxrwx 1 root root 16 Jan 20 00:40 sites -> /var/www/steph
drwxr-xr-x 2 steph steph 4096 Jan 20 00:41 vhosts
...
bpc:/home/steph# cat vhosts/example
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com example.com
DocumentRoot /home/steph/sites/example
SuexecUserGroup steph steph
</VirtualHost>
bpc:/home/steph# ls -l /var/www/steph/
...
drwxr-xr-x 10 steph steph 4096 Jan 19 17:45 example
You can see what the docroot is set to via suexec -V.
Directory permissions (umask)
The AP_SUEXEC_UMASK directive specifies the default umask, i.e. the default permissions received by a new directory created by Apache running suexec.
By default, suexec using a umask of 077, which creates directories with rwx—— permission.
022 is often better, to create directories with rwxr-xr-x permission.
Change suexec settings (on Gentoo)
On Gentoo you can change the suexec settings that are used when apache is compiled.
E.g. for changing umask setting, but similar is true of any setting.
export SUEXEC_UMASK=022 (or set this in /etc/make.conf)
emerge -av apache
or…
EXTRA_ECONF="--with-suexec-umask=022" emerge -av apache
Or you could change the docroot:
export SUEXEC_DOCROOT=/home
...
Available environment variables are as follows:
You can manipulate several configure options of suexec
through the following environment variables:
SUEXEC_SAFEPATH: Default PATH for suexec (default: /usr/local/bin:/usr/bin:/bin)
SUEXEC_LOGFILE: Path to the suexec logfile (default: /var/log/apache2/suexec_log)
SUEXEC_CALLER: Name of the user Apache is running as (default: apache)
SUEXEC_DOCROOT: Directory in which suexec will run scripts (default: /var/www)
SUEXEC_MINUID: Minimum UID, which is allowed to run scripts via suexec (default: 1000)
SUEXEC_MINGID: Minimum GID, which is allowed to run scripts via suexec (default: 100)
SUEXEC_USERDIR: User subdirectories (like /home/user/html) (default: public_html)
SUEXEC_UMASK: Umask for the suexec process (default: 077)
I couldn’t find this information in any documentation other than the .elog that is written to the /var/log/portage/elog directory after apache is installed (in /var/log/portage/elog/www-servers:apache-2.4.4:20130305-004528.log or similar). This is a bit annoying, given that you need the options before compilation. It may be that you can generate the log without installing, but I don’t know how to do this.
Reference: suexec AP_DOC_ROOT Path on gentoo
Determine suexec settings
suexec -V
E.g:
bpc steph # suexec -V
-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/apache2/suexec_log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_SUEXEC_UMASK=077
-D AP_UID_MIN=1000
-D AP_USERDIR_SUFFIX="public_html"
