Commit d818e596 authored by ale's avatar ale
Browse files


parent 879f885b
A slightly improved (and massively simplified) *suexec* wrapper for
Apache [mod_suexec](
It's meant for a very specific and narrow use case: multi-tenant large
scale website hosting of PHP websites. It drops some of the standard
*suexec* features that we weren't using anyway (namely, user home
directory support).
It also gets rid of the somewhat arbitrary assumption made by the
default Apache suexec wrapper on document root layout, in favor of a
more explicit and configuration-based approach.
# Usage
Basic usage is simply what you would expect of a *suexec* wrapper:
dump it in the right place (like /usr/lib/apache2/suexec), configure
*mod_suexec* and let Apache invoke it.
There are some differences in behavior with respect to the default
wrapper, and it's unlikely that *suexec-sandbox* will work out of the
box. Let's see what they are.
## Configuration
The suexec-sandbox wrapper requires a configuration file for its
operation. Its location is hard-coded to
`/etc/apache2/suexec-sandbox.conf`. The configuration file consists of
a series of directives, one per line. Empty lines are ignored, as are
comments (introduced by the *#* character). Directives consist of a
name and a value, separated by a space.
Known directives:
`path` - sets the safe PATH for the wrapped program environment
(default: /bin:/usr/bin).
`allowed_cmd` - add the value to the list of allowed commands (can be
specified multiple times).
`docroot` - add the value to the list of allowed DocumentRoot prefixes
(can be specified multiple times).
`min_uid` - set the minimum UID limit
`min_gid` - set the minimum GID limit
## NSS
The wrapper does not use libnss or interact with the user/group
databases in any way, so you **MUST** use numeric UIDs and GIDs in
your Apache configuration.
......@@ -24,7 +24,8 @@
#include <time.h>
#include <unistd.h>
#define SUEXEC_CONFIGURATION "/etc/apache2/suexec-ai.conf"
#define SUEXEC_CONFIGURATION "/etc/apache2/suexec-sandbox.conf"
#define DEFAULT_SAFE_PATH "/bin:/usr/bin"
#define MAX_ENV_SIZE 256
#define MAX_LINE_SIZE 1024
......@@ -118,6 +119,9 @@ static int read_config(const char *path, struct config *config) {
int r = 0, lineno = 1;
FILE *fp = NULL;
// Set defaults.
config->path = DEFAULT_SAFE_PATH;
fp = fopen(path, "r");
if (!fp) {
log_printf("Could not open configuration file %s", path);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment