suexec

-r-s--x---  2 root apache 18832 Jan 28 01:31 /usr/sbin/suexec
 

This is an Apache helper program. Its purpose is to allow a web site to let individual users execute cgi-bin programs for their sub-site without jeopardizing the security of other users. As you can see above, it is set-uid root, but can only be executed by the apache group. There's more to it though: the binary has been compiled with the apache username specified and it will ONLY work when the user apache is the caller.

It has to be setuid root so that it can in turn assume the ordinary user's id while executing the cgi script. What we have is Apache, not running as root, using this setuid binary to become root just long enough to become the user who's script is about to be executed. That means that the ultimate cgi script can only do things that the individual user could do anyway - it's not running as root or as apache.

But a setuid script owned by root could be dangerous. If anyone could run suexec, anyone could do anything they like. You'd have no security at all. So the apache id is compiled in, and it checks itself against that. It also checks that it has been properly invoked, which is something the man page doesn't tell you how to do. The docs explain:

 The wrapper will only execute if it is given the proper number of
 arguments. The proper argument format is known to the Apache web
 server. If the wrapper is not receiving the proper number of
 arguments, it is either being hacked, or there is something wrong
 with the suEXEC portion of your Apache binary.
 

And there are more checks. The binary itself does all the checking it can to avoid being a tool which someone could use to thwart the intended security.

Apparently earlier versions had some Pam support, but it looks like that has been removed: http://lists.debian.org/debian-apache/2004/08/msg00386.html.
If this page was useful to you, please click to help others find it:  

Comments?

More Articles by Tony Lawrence - Find me on Google+

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.