Apache & SUexec

I'm running an Apache box (on FreeBSD 4.4-stable) with a growing number of Virtualhosts. Many of the websites use cgi- or PHP scripts which write information to specific files, which are subsequently 'owned' by Apache's UID and GID, and therefore no longer useable for the actual owner of the website.

I know that SUexec resolves these things, letting scripts run under the UID of the actual user.

Is there anyone here who's got experience with setting it up. I install Apache from the FreeBSD ports, and know that some changes have to made to the actual Makefile in order for it to build with SUexec. What things should I keep in mind, etc. I've already looked at the Apache docs, but would like to hear some experiences 'from the field' :-)

Regards,
Wilco.

>> Is there anyone here who's got experience with setting it up

Do a search using the search keyword suexec under my username in All open forums. suexec's topic has been discussed and answered hundred times.

>> What things should I keep in mind

The most significant concern is to restructure your Apache directory layout by moving all vhost's docroot under the --suexec-docroot.

Here is my very own hier standard:

/www - suexec-docroot (a unique partition for better performance)
/www/htdocs - server's default docroot
/www/cgi-bin - server's cgi-bin
/www/icons - default icons
/www/vhosts/vhost1.com - vhost1 user's homedir
/www/vhosts/vhost1.com/htdocs - vhost1's docroot
/www/vhosts/vhost1.com/cgi-bin - vhost1's cgi-bin

Read this thread for more details -> http://forums.devshed.com/showthrea...8485&forumid=15

>> I install Apache from the FreeBSD ports, and know that some changes have to made to the actual Makefile

You can send configure options to make as if you are compiling from src yourself. Or you can alter /usr/ports/www/apache13/Makefile directly (cvsup will overwrite this file so do appropriate backup):

For example:

1) create www user+group (uid/gid 100)
2) Alter the Makefile:
--prefix=${PREFIX} \
--with-perl=${PERL} \
--with-layout${FILESDIR}/FreeBSD.layout:FreeBSD \
--enable-module=most \
--enable-shared=max \
--enable-module=auth_db \
--enable-module=mmap_static \
--disable-module=auth_dbm \
--without-confadjust \
--server-uid=www \
--server-gid=www \
--suexec-docroot=/www \
--enable-suexec \
--suexec-caller=www \
--suexec-logfile=/var/log/apache/suexec_log \
--suexec-userdir=public_html \
--suexec-uidmin=100 \
--suexec-gidmin=100 \
--suexec-safepath=/usr/local/bin:/usr/bin:/bin
3) Alter /usr/ports/www/apache13/files/FreeBSD.layout:
<Layout FreeBSD>
prefix: /usr/local
exec_prefix: $prefix
bindir: $exec_prefix/bin
sbindir: $exec_prefix/sbin
libexecdir: $exec_prefix/libexec/apache
mandir: $prefix/man
sysconfdir: $prefix/etc/apache
datadir: /www
iconsdir: $datadir/icons
htdocsdir: $datadir/htdocs
cgidir: $datadir/cgi-bin
includedir: $prefix/include/apache
localstatedir: /var
runtimedir: $localstatedir/run
logfiledir: $localstatedir/log/apache
proxycachedir: $localstatedir/tmp/proxy
</Layout>