Suexec usage in Apache

What is suexec?

Suexec was introduced from Apache 1.2 and is responsible for processing CGI and SSI program requests to ensure that web users can execute remote programs using the directory or program user ID. Under normal circumstances, all CGI or SSI programs must be executed by the program owner through Apache.

　
When suexec is correctly used, the user ID of the CGI/SSI program is used to execute the program, which can forcibly prevent other users from executing the program at random, thus improving network security. On the contrary, if the network management
If you fail to correctly set suexec, suexec will bring you multiple unpredictable system security vulnerabilities. If you are not familiar with the programs that control and set IDs and their security problems, we strongly recommend that you do not
Use suexec.

Prerequisites

Before reading the official instruction file, read the Apache Group requirements and assumptions carefully.

First, Apache Group assumes that your operating system is any UNIX system and has the setuid and setgid functions. All suexec setting examples must work properly on this premise. In other job platforms that support suexec, suexec settings may be different from those of UNIX.

Second, you must have basic concepts of system security and management. These concepts include the operating principle of Setuid/Setgid and its impact on the system, as well as the security vulnerabilities generated by these operations.

　
Third, Apache
The Group can ensure that the risk of suexec is minimized. The suexec program code has been carefully tested by developers and testers. The program code has been added to prevent errors to ensure that suexec will not produce
An error occurs. modifying the original program code may cause unpredictable system vulnerabilities. Unless you are proficient in system security programming and are willing to work with Apache
Group shares your development results. We do not recommend that you change the suexec program code.

Fourth, in Apache
After the group has been considered, suexec has become out of Apache's default installation. Therefore, when installing suexec, network administrators must pay special attention to the details of suexec.
After the settings of suexec, the network administrator can embed suexec into Apache from the preset installation method. The parameters of suexec must be determined with caution. Because suexec requires Network Management
The personnel have a thorough plan, so the Apache Group would like to be careful and careful with the use of network administrators.

Suexec Security Model

Before setting and installing suexec, we will discuss the security model of suexec so that you can have a detailed understanding of the operating status of suexec and its system security measures.

Suexec is the Apache "package". This package has the setuid permission. When CGI or SSI executes the request, suexec changes the execution user to the owner of the program.

The package then checks whether the packaging process is normal according to the following steps. If one of the following checks fails, suexec will write the error into the record and reject the execution request:

The input package has insufficient parameters. The package is executed only when sufficient parameters are passed in. These parameters must be in the Apache internal format. If the package cannot receive enough parameters, suexec is corrupted, or the binary version of suexec has a problem.

Is the package executed by a legal user? This check ensures that the user executing the program is valid in the system.

Does the execution user have the right to use the package? Only one user (Apache user) can execute this program.

Is the program being executed vulnerable to insecure relative directory reference characters? All program file names starting with "/" or ".." are not processed. The program must exist in the directory allocated by Apache.

Is the execution user legal? The execution user must already exist in the system.

Is the execution working group legal? The execution workgroup must already exist in the system.

Is the execution user a Super User? Currently, Apache does not allow "root" to execute cgi/SSI programs. CGI/SSI programs.

Is the execution user ID lower than the minimum allowed ID of Apache? The minimum allowed id value is found in the configuration file to control the ID above which can be used to execute the package. This function can filter users in the system.

Is the working group to which the program belongs a superuser Working Group? Currently, suexec does not allow the "root" Working Group to execute cgi/SSI programs.

Is the program workgroup less than the minimum allowed ID of Apache? The minimum allowed id value is found in the configuration file, which is used to control the GID above which can be used to execute the package. This function can filter the Working Groups in the system.

Can the package change the owner and its working group? The success or failure lies in the Process of setuid and setgid of the CGI/SSI program. The working group uses the list

Does the directory containing the program exist? If the directory does not exist, the program to be executed will not exist.

Is the directory containing the program in the webpage space set by Apache? If the execution request occurs in the common part of Apache, the directory should be in the Apache root directory; if the request occurs in the common userdir, the directory should be in the user's document root.

Does the directory containing the program reject anyone writing? Other users cannot access this directory. Only the directory owner can change the contents of this directory.

Does the program to be executed exist? It is impossible to execute a program that does not exist.

Cannot programs be changed or updated? No one except the program owner has the permission to change the program.

Is your program setuid or setgid? Suexec does not process programs that change the current UID/GID.

Is the owner of the program the user encapsulated by suexec? The program can be executed only when the request is encapsulated as the program owner permission.

Can I clear the program environment to ensure that the program runs smoothly? Suexec uses the secure execution directory to clear the program environment, and all page passing variables are cleared (set when suexec is set ).

Can we be executed programs? Execute? Suexec is finished, which is the beginning of the executed program.

The above is the standard operating security model of the suexec package. This rigorous model introduces the restrictions of CGI/SSI programs and program design guidance, but the design must be implemented step by step in the mind.

For more information about how to restrict server settings in the security model and how to avoid system vulnerabilities caused by suexec, see beware the Jabberwock.

Set and install suexec

　
We officially started to embed suexec into Apache. If you are using Apache 1.2 or Apache
For src/configure of 1.3, You need to modify the header file of suexec (Header
File) and manually install the binary version to the correct location. The installation process can be found in the suexec additional file. The following sections describe Apache
1.3. the Autoconf-style interface (apaci) is used to set and install apaci.

Suexec apaci setting options

-- Enable-suexec

It indicates that suexec is installed in Apache. After this option is added, you must set at least one -- suexec-XXXXX option to let apaci know how to set suexec.

-- Suexec-caller = uid

The name of the user that can call suexec in Apache. This is the user that executes the Apache subroutine. Only this user can call suexec.

-- Suexec-docroot = dir

　
Set the storage location of webpage files. Only the programs in this directory and Its subdirectories can use suexec. The default directory is -- datadir.
Add "/htdocs". For example, if you set datadir to -- datadir =/home/Apache, then "/home/Apache/htdocs" Will
Is the directory that allows the use of the suexec package.

-- Suexec-logfile = File

Set the file name of the record file. All execution records and errors of suexec will be recorded in this file (for convenience of checking and debugging). The default value is "suexec_log", and the default directory is located in -- logfiledir.

-- Suexec-userdir = dir

　
Set the directory where the user stores the web page. All suexec packages must be carried out in this directory to ensure that the program is allowed by the user. If you simply enter the absolute path (I. e.
There is no universal character "*"), so the userdir and the place where suexec is allowed should be set to the same directory. If suexec's userdir does not include the object where the user stores the webpage
So these pages cannot use suexec because of password file records. The default value of userdir is "public_html". If you set virtual
The userdir of the suexec directory is out of the suexec directory when the host is used, so you need to set the userdir of suexec to the parent directory of this heap directory. If you do not set
Userdir, all 「~ All CGI requests of userdir will fail.

-- Suexec-uidmin = uid

Set the maximum user ID allowed to use suexec. The default value is 100. Generally, the system is 500 or 100.

-- Suexec-gidmin = GID

Sets the maximum allowed user group ID to use suexec. The default value is 100.

-- Suexec-safepath = path

Set the suexec security directory, which allows CGI program execution. The default value is "/usr/local/bin:/usr/bin:/bin 」.

Check suexec settings

Before compiling and installing the suexec package, you can use the -- layout option to check your current settings:

Output example:

Suexec setup:

Suexec binary:/usr/local/Apache/sbin/suexec

Document Root:/usr/local/Apache/share/htdocs

Userdir Suffix: public_html

Logfile:/usr/local/Apache/var/log/suexec_log

Safe Path:/usr/local/bin:/usr/bin:/bin

Caller ID: www

Minimum user ID: 100

Minimum group ID: 100

Compile and install the suexec package

If you decide to use suexec in binary by using the -- enable-suexec option, after you press "make", suexec will be automatically embedded into Apache.

　
After "make install" is executed to install all Apache components, suexec will be placed in the directory determined by the -- sbindir option. The default directory is
「/Usr/local/Apache/sbin/suexec 」. Please note that you need to become a Super User to complete the installation process. In order to allow suexec to have the setuid permission
Force, you must convert the suexec owner to "root" and add the setuid permission to the suexec program.

Start and close suexec

　
Before starting Apache, the Apache main program looks for the "suexec" program file in "sbin" (default value:
「/Usr/local/Apache/sbin/suexec 」. If Apache can find the correct suexec restart, Apache will record suexec startup
Write Error Log:

[Notice] suexec mechanic enabled (wrapper:/path/to/suexec)

If the preceding information cannot be found in the error log after Apache is started, the Apache server cannot find the package, or the package file does not have the setuid permission.

You cannot add suexec to the running Apache server. You must first disable and restart the Apache server. It is ineffective to simply use "Hup" or "usr1". If you want to disable suexec, you also need to disable and re-open the Apache server, but you need to remove the suexec program file before re-opening.

Use suexec

VM:

Through user and group, the VM can set the user and user group of suexec. After the user and group are set, all CGI requests are executed according to the set values of user and group, if no user or group is set when the VM is declared, Apache uses the user and User Group of the master server.

User directory:

The suexec package will also accept the user permissions set individually to execute the CGI program, as long as 「~」 Before adding the user ID, direct the master server directory to the user's webpage directory. All CGI programs and requests of the suexec security model can use this method to execute CGI programs for specific users.

Suexec

All suexec execution processes will be written to the log file. The log file name can be set in the -- suexec-logfile option. If you are sure that your settings are correct but there are still unknown suexec errors, see error_log of suexec.

Suexec considerations

Directory class Restriction

On the premise of system security and efficiency, all web pages on the VM and suexec requests of individual users must be executed in the root directory. For example, if you set four virtual hosts, you must classify the root directories of these virtual hosts into an Apache main file directory, so suexec needs to execute this condition in a specific security directory.

Suexec path in execution environment

Changing the suexec execution directory may result in a system security vulnerability. Make sure that the suexec execution directory is a trusted directory, setting the unreliable directory as the suexec execution directory may be attacked by anyone using a trojan program.

Change suexec program code

If you do not know the meaning of the suexec program code, you can modify its content on your own, which can cause a large program error. Please try not to change the suexec program code.