Suexec

From CSCWiki
Revision as of 18:16, 22 March 2010 by Jbroman (talk | contribs) (add Suexec to Software category)
Jump to navigation Jump to search

suexec is used allow Apache to isolate certain sites from the rest of the system by running them as users other than www-data (for example, webmail is run as www-webmail). The global suexec configuration is /etc/apache2/suexec/www-data, and suexec logs to /var/log/apache2/suexec.log.

Site Setup

Here's an example of what's needed to suexec isolate a specific site (this example is the setup for the webmail).

dr-xr-xr-x 2 www-webmail www-webmail 4096 2010-01-20 21:57 /var/lib/roundcube/fcgi-wrapper

-r-xr-xr-x 1 www-webmail www-webmail   95 2010-01-20 21:57 php-cgi
#!/bin/sh
export PHP_FCGI_CHILDREN=0
export PHP_FCGI_MAX_REQUESTS=4000
exec /usr/bin/php5-cgi

-rwxr-xr-x 1 root        root          71 2010-01-20 21:34 php-cgi-suexec
#!/bin/sh
exec /usr/lib/apache2/suexec www-webmail www-webmail php-cgi

And here is the relevant line in the vhost configuration:

FCGIWrapper "/var/lib/roundcube/fcgi-wrapper/php-cgi-suexec" .php

Note: As Apache seems to hang on reload, the init.d script for Apache has been modified to kill off all processes belonging to www-wiki and www-webmail. Though not an ideal solution, this should alleviate the immediate issue.