suEXEC ɻ@ Hġ CGI SSI α׷@ ݋L ȝ~ ID Ƈ ٸ ȝ~ ID [nU Ѵ. CGI SSI α׷@ [R ݋L ȝ~ڿ @ ȝ~ڷ Ѵ.

@ ȝ~[R ȝ~ڰ CGI SSI α׷@ T[O V Te ] b @ 瞢 R ] . ׵\ suEXEC [ rǔR @ ǻͿ ؛ο A@ ] . setuid root α׷ Ʒ α׷ eҸ[ٔR suEXEC ȝ~[ʱ Uڷ ٶ.

C۸[ 켱 Hġ׿p ݋ r@ .

v setuid setgid ɓ Ϟ[z ü ȝ~ѴٽO rѴ. w n @ r@ Ѵ. suEXEC [b ٸ E@ ȝ~[ٔR r ٸ ] .

偓, _ ǻ ⺻ ڙ[ٽO rѴ. ⿡b setuid/setgid ɰ Ƶ Cz۰ ȿ ġb \ 信 ذ `ȴ.

偓, suEXEC ȵ ]r[ʻ@ L@ ȝ~ѴٽO rѴ. Tڿ \ tz͵@ suEXEC L ȵ带 Uz ȝ[O ȝߴ. ȵ带 Z[ [O Ȯ @ [ Ǹ ￴. ȵ带 ]r[R ġo ؛ο Te ] . αEֿ ſ ˽O ȵ带 캸 Hġ׿p E@ Ϟ ȝ ^ٔR suEXEC ȵ带 ]r[ʱ Ѵ.

偓 ڷ, Hġ׿p@ suEXEC Hġ ⺻ġ `[ ʱ rߴ. v ڰ Ǹ ←݋ suEXEC rؾ Ѵ. suEXEC \ r@ O ھb ^ ġҎ^@ suEXEC ġ ] . suEXEC @ ȝ~[b Cz @ åb ھb r@@ ǘ 캸O rؾ Ѵ. Ʒ r@ suEXEC ȝ~Ҹŭ ǘO Zx ȝ suEXEC ȝ~[nU Hġ׿p [ V얓ƴ.

n ȝ~[ [b? ׷? . C۸[!


suEXEC ȸđ

suEXEC 伺[O ġ[ 츮b ȸđ@ v Ѵ. Ƹ rȮ suEXEC ȿ݋b ϓ Ͻ Cz @ @ Uؾ ] .

suEXECb Hġ ݋L θb setuid "wrapper" α׷@ ^ڷ Ѵ. wrapperb ڰ ݋L ٸ userid [nU r CGI SSI α׷ HTTP ] R u. Ʒ ] R Hġb suEXEC wrapper α׷ α׷@ ȝ~ڿ ׿p ID Ѵ.

׵\R wrapperb ٞ r@ и rѴ. [n и[R α׷@ з UǽO vSѴ. и[ ʙڔR r@ Ѵ:

  1. wrapper [b ȝ~ڰ Cz r ȝ~ΰ?

    wrapper [b ȝ~ڰ Cz ȝ~ ȮѴ.

  2. ] ƱԄh wrapper [b?

    wrapperb ] ƱԄh ߸ ȴ. Hġ ݋L ] ȴ. wrapper ] ƱԄh o[R ؚWǾų Hġ suEXEC ُ b ͓ƴ.

  3. ȝ~ڰ wrapper [nU A~Ǿ?

    ȝ~ڰ wrapper [nU A~Ǿ? ȝ~(Hġ ȝ~) α׷@ ] .

  4. r CGI SSI α׷ [ʻ@ b?

    r CGI SSI α׷ '/' C۸[ų '..'@ b? Ƶ@ ȝ~ ] ^. r CGI/SSI α׷@ suEXEC ݋ root (E --with-suexec-docroot=DIR O) Ѵ.

  5. r ȝ~ڸ ϞȿѰ?

    r ȝ~ڰ Z[b?

  6. r ׿p ϞȿѰ?

    r ׿p Z[b?

  7. r ȝ~ڰ superuser Ƈ谡?

    suEXECb root CGI/SSI α׷@ ] ^nU Ѵ.

  8. r userid ID ں ū?

    r݋ ȝ~ ID ڸ rѴ. E݋ CGI/SSI α׷@ ] b userid ġ r ] . "Czۃ~" r@ V Ϟ~[.

  9. r ׿p superuser ׿p Ƈ谡?

    suEXECb root ׿p CGI/SSI α׷@ ] ^nU Ѵ.

  10. r groupid ID ں ū?

    r݋ ׿p ID ڸ rѴ. E݋ CGI/SSI α׷@ ] b groupid ġ r ] . "Czۃ~" ׿p@ V Ϟ~[.

  11. wrapper ڷ r ȝ~ڿ ׿p ] b?

    Z迡݋ α׷@ setuid setgid x@ [ r ȝ~ڿ ׿p ȴ. , ׿p ٸU@ ȝ~ڰ ش ׿pڷ ʱȭȴ.

  12. CGI/SSI α׷ b 丮 丮 ] b?

    丮 Z[ ʴٔR Hϓ @ ] ^. ^ڷ 丮 ] ^ٔR 丮b Z[ @ ͓ƴ.

  13. 丮 Hġ ȿ b?

    ݋L ^ κ@ ] ][b 丮 suEXEC ݋ root E b? UserDir@ ] ][b 丮 suEXEC userdir r (suEXEC r ӛ O) 丮 E b?

  14. ٸ n 丮 oѓ ^b?

    丮 ٸ ȝ Pα [ʾb. Ϟڸ 丮 ~@ ] .

  15. r CGI/SSI α׷ Z[b?

    Z[ʴٔR ]n ^.

  16. ٸ n r CGI/SSI α׷ oѓ ^b?

    Ϟڿ n CGI/SSI α׷@ [ [ʾb.

  17. r CGI/SSI α׷ setuid setgid Ƈ谡?

    츮b α׷ ٳC UID/GID [ [ʾb.

  18. r ȝ~/׿p α׷ ȝ~/׿p @?

    ȝ~ڰ H Ϟΰ?

  19. @ μz ȯ溯] ] ] b?

    suEXECb (r݋ r) PATH O, (ư͙n r݋ r) ȯ溯] U Pŵ ] O μz ȯ溯] .

  20. ڷ r CGI/SSI α׷@ ] b?

    ݋ suEXEC O r CGI/SSI α׷ CѴ.

ư͓ suEXEC wrapper ȸđ F ۓƴ. ټ Qݸ[O CGI/SSI 迡 ؛ο ѓ , @ ο νO ѸZ辿 Uz 齁Ę.

đ ݋L r @ ־b suEXEC rڷ @ ] b ݋ "ٳC U[" @ O[.


suEXEC 伺 ġ

̘b ~ CѴ.

suEXEC 伺 ӛ

ӛ@ ⺻ڷ ġǰų ȭʾb suEXEC @ ȭѴ. APACI suEXEC ޾ƵƷR --enable-suexec ӛܿ --with-suexec-xxxxx ӛ Ѱ ʿ[.
suexec ٓƳʸ ξb Ȼ Ϟ ݋L UǾ Ѵ. ⺻@@ C[R ӛ@ ȝ~Ѵ. --with-suexec-bin=/usr/sbin/suexec
Hġ [b ȝ~ڸ. α׷@ ] b Ϟ ȝ~ڴ.
suEXEC ٓ A~Ǿb ȝ~ 丮 [丮 rѴ. 丮 b H@ ȝ~ suEXEC Ƿ, α׷ "ؾ" Ѵ. ( 齁, @ "*" ^b) "Z" UserDir C ȝ~ѴٔR @ @@ rؾ Ѵ. UserDir C passwd HϿ ȝ~ 丮 ٸR suEXECb rڷ ۵[ ʾb. ⺻@@ "public_html"ƴ.
xzh ٸ UserDir@ ȝ~ѴٔR θ 丮 ȿ nU rؾ [O, θ 丮@ b. Ʒ rǸ[ ʙڔR, "~userdir" cgi ] ۵[ ʾb!
Hġ DocumentRoot rѴ. ƾb suEXEC ȝ~ ] b (UserDirs@ ) Ϟ ƴ. ⺻ 丮b --datadir @ "/htdocs"@ ͓ƴ. "--datadir=/home/apache" 伺ߴٔR suEXEC wrapperb document root "/home/apache/htdocs" 丮 ȝ~Ѵ.
suEXEC݋ r ȝ~ UID rѴ. κ Czۿ݋ 500Ƴ 100 [. ⺻@@ 100ƴ.
suEXEC݋ r ׿p GID rѴ. κ Czۿ݋ 100 [Ƿ @ ⺻@ƴ.
suEXEC ۵ (}C L Ϟ~) U αHϸ@ rѴ. ⺻ڷ αH Ɠ@ "suexec_log"ƽO F αH 丮 (--logfiledir) ġѴ.
CGI HϿ є PATH ȯ溯] rѴ. ⺻@@ "/usr/local/bin:/usr/bin:/bin"ƴ.

suEXEC wrapper Hϸ[O ġ[
--enable-suexec ӛڷ suEXEC @ ɸ[ make w [R suexec Hϓ (Hġ `) ڵڷ 齁.
늰@ H make install w [ ġ ] . ٓƳʸH suexecb --sbindir ӛڷ r 丮 ġȴ. ⺻ ġb "/usr/local/apache2/sbin/suexec"ƴ.
ġ r root ʿ`@ Ǹ[. wrapper ȝ~ ID r[݋b Ϟڰ rootƽO Hϸ setuserid h rǾ Ѵ.

\ Ѽr
suEXEC wrapperb _@ ȝ~ڰ 伺 ӛ --with-suexec-caller r ùٸ ȝ~ Ȯ@ [, ȝ suEXEC ȝ~[b Czx Ȥ@ ƺ\ `] ۵Ǿ@ ] . Ƹ [ ^ڷ @ ƹǷ Hġ [b ׿p suEXEC ] nU HϳCz @ rؾ Ѵ.

齁, ݋L ٞ r[O:

User www
Group webgroup

suexec "/usr/local/apache2/sbin/suexec" ġ[ٔR, ٞ@ ؾ Ѵ:

chgrp webgroup /usr/local/apache2/bin/suexec
chmod 4750 /usr/local/apache2/bin/suexec

׵\R Hġ [b ׿p suEXEC wrapper ] .



Hġb CV --sbindir ӛڷ r 丮݋ suexec H@ (⺻@ "/usr/local/apache2/sbin/suexec") ãb. Hġ rڷ 伺 suEXEC wrapper T߸[R α(error log) ٞ Ѵ:

[notice] suEXEC mechanism enabled (wrapper: /path/to/suexec)

݋L C߿ Ʒ 얂並 ^ٔR ݋Lb ҿ݋ wrapper α׷@ ã o߰ų, Hϓ setuid root ġʾұ V ͓ƴ.

Qڷ suEXEC @ ȝ~[O ͽO ƹ Hġ ݋L ߓƶR, Hġ דƽO ٳC Cؾ Ѵ. Z HUPƳ USR1 C׳η C۸[b ͙ڷξb и[ ʴ.

suEXEC ȝ~[R suexec H@ Hġ דƽO Cؾ Ѵ.


suEXEC ȝ~[

CGI α׷ ] SuexecUserGroup C ȝ~ xzh ]@ [ų mod_userdir ]@ Q[b 쿡 suEXEC wrapper xѴ.

suEXEC wrapper ȝ~[b Ѱ Ҏ^@ VirtualHost rǿ SuexecUserGroup C ȝ~[b ͓ƴ. C ݋L ȝ~ ID ٸ r[R CGI ڿ ] <VirtualHost>݋ r User Groupڷ ȴ. C <VirtualHost> ^ڔR ݋L userid ȝ~Ѵ.

ȝ~ 丮:
mod_userdir ]@ QѴٔR suEXEC wrapper x[, ] ȝ~ 丮 ش[b ȝ~ ID CGI α׷@ Ѵ. ɓ ۸[R ȝ~ ID CGI ] O zrxh ȝ H@ ؾ Ѵ. 伺 ӛ --with-suexec-userdir@ O[.



suEXEC wrapperb α r ݋ ٷ --with-suexec-logfile ӛڷ r HϿ . wrapper ùٷ 伺[O ġߴٔR ݋ ߽oǾb αHϿ ݋L error_log .


ٳC U[: O

! ӛ@ [ @ ] . Hġ׿p ¶ ݋݋ ݋ _@ O[.

wrapper ݋L r@ [b  ̷ο . suEXEC L "L" O[ Ƶ@ 캸 ٶ.

