# mod_suexec questions



## saiman (Jun 18, 2010)

Hello,
I'm trying to setup/test mod_suexec with mod_fcgid on apache22. I've got one virtual host - test.site with this configuration:


```
<VirtualHost *:80>
    ServerAdmin webmaster@test.site
    DocumentRoot "/var/www/vhosts/test.site/httpd"
    ServerName test.site
    ServerAlias www.test.site

    SuexecUserGroup www-test www-test

    <Directory "/var/www/vhosts/test.site/httpd">
        AddHandler fcgid-script .php
        FCGIWrapper /var/www/vhosts/test.site/cgi-bin/php.fcgi .php 

        Options Indexes FollowSymLinks ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

</VirtualHost>
```

The user www-test has /var/www/vhosts/test.site for home directory. This is the directory structure:


```
drwxr-xr-x  4 www-test  www-test  512 Jun 16 21:47 test.site
    drwxr-xr-x  2 www-test  www-test  512 Jun 17 14:21 cgi-bin
        -rwxr-x---  1 www-test  www-test  130 Jun 17 14:21 php.fcgi

    drwxr-xr-x  3 www-test  www-test  512 Jun 17 14:38 httpd
        -rwxr-x---  1 www-test  www-test   58 Jun 17 14:44 index.php
        -rwxr-x---  1 www-test  www-test  2145094 Oct 23  2001 img.jpg
```


I noticed that when I change the privileges on test.site to 750 - error 403 is returned (forbidden). It's the same with httpd directory and cgi-bin directory. So the only way to run something inside httpd is to change the dirs permissions up to the file to 750? Is that the normal behavior? I'm wondering because for example, if I have a word press inside httpd I have to change a bunch of more directories to get word press working. 
And finally I found that if the permissions on img.jpg are not set 755 it's forbidden too. Probably because it's accessed from www user, not from www-test - it's just an image and the fcgid it's not used in this case?


----------



## Dereckson (Jun 21, 2010)

Before using suEXEC, you need to get a good understanding of what it checks.

http://httpd.apache.org/docs/2.1/suexec.html#model

If all sounds okay for you, you've a suEXEC log in /var/log/httpd-suexec.log (suexec -V should give you the emplacement).

Of coruse, before suEXEC is called, Apache must access the file, ie if you don't have an entry in suEXEC log, it's an Apache problem, read regular vhost's error.log


----------



## Alt (Jun 22, 2010)

saiman, if you give suexec to a script - do not give same owner/rights to files/dirs -- a bug in script can give complete freedom to hacker, cus he can modify scripts itself or create new scripts


----------

