# Apache mod_suexec Does NOT Change User



## vask (Feb 9, 2009)

I installed mod_suexec from ports with apache22, but unfortunately I can't get my virtualhosts to run as the user specified in httpd.conf with:

```
# apache master user
User www
Group www

# change user with suexec
<VirtualHost *:80>
        SuexecUserGroup user1 group1
        ServerName 1.site.com
        DocumentRoot /www/site/public
</VirtualHost>
```

I am testing this with a file index.php in DocumentRoot and I have:

```
<?
echo `whoami`;
?>
```

Unfortunately the output never changes from whatever I specify with:
User www
Group www

Things I noticed so far:
- mod_suexec.so is loading fine in httpd.conf (if I don't have it it complains of syntax) 
- Apache restarts fine.
- If I move the wrapper program /usr/local/sbin/suexec it complains.

Please advise.

Reference:
http://httpd.apache.org/docs/2.0/mod/mod_suexec.html
http://httpd.apache.org/docs/2.0/suexec.html


----------



## gilinko (Feb 9, 2009)

The suexec if for CGI calls only. If you aren't running the php binary through the CGI/FastCGI interface it will still run as the www user.

suexec is mainly targeted at the ability to run system commands while in a web enviroment(ie access to system binaries), not as a means to separate the user/group from the binary. Also to be able to use the suexec program your webserver need to be run as root(root:wheel) not as www:www. Or to be more precise it uses the setuid/setgid portion of your system.

Running a webserver as "root" with suexec should not be taken lightly, as there are seriously security concerns with this as stated in your second reference.


----------



## vask (Feb 9, 2009)

When you refer to binaries I am assuming you are referring to just random files on the system.

From phpinfo() I have:
Configure Commands: '--enable-fastcgi'
Loaded Modules: mod_cgi

but I am unsure how to tell PHP to run through the FastCGI interface if that doesn't already do it...

Also, I am aware there are many security considerations with this setup... but I am just trying to get things working right now and test things out...  suexec seems to be one the best documented pieces of software for what I am trying to do at:
http://forums.freebsd.org/showthread.php?t=2020

If I can't get suexec working sufficiently... I will try something else... perhaps mpm-peruser like you suggested, but some of the wording for mpm-peruser is intimidating. ie:
"NOT intended for production systems."

Also, with suexec are you saying that ANY user can set ANY file to run as ANY user? I was under the impression that this could only be specified in httpd.conf with SuexecUserGroup.

If I compare suexec and mpm-peruser, both are able to set a user and group, so I don't really know what the big difference is.



> Also to be able to use the suexec program your webserver need to be run as root(root:wheel) not as www:www. Or to be more precise it uses the setuid/setgid portion of your system.


Didn't I already do this:

```
# ps aux | grep httpd
root   93560  1.6  4.4 19624 11140  ??  Ss    5:56AM   0:00.43 /usr/local/sbin/httpd -k restart
www    93561  0.0  4.4 19648 11188  ??  S     5:56AM   0:00.00 /usr/local/sbin/httpd -k restart
www    93562  0.0  4.4 19648 11188  ??  S     5:56AM   0:00.00 /usr/local/sbin/httpd -k restart
```


----------



## gilinko (Feb 9, 2009)

> but I am unsure how to tell PHP to run through the FastCGI interface if that doesn't already do it...



You don't need to tell php to run using the fastcgi interface, you need to tell apache that NOT load mod_php.so in httpd.conf but a fast-cgi.so module. Look here for a more indepth information: http://www.seaoffire.net/fcgi-faq.html



> Also, with suexec are you saying that ANY user can set ANY file to run as ANY user? I was under the impression that this could only be specified in httpd.conf with SuexecUserGroup.



The problem is secondary. If the http server executes a suexec as a user with broader rights then the standard www user(which usually is the case) there is nothing stopping that script from going deeper and in turn execute another binary that has the s[u|g]id bit set. I'm partly saying this just to scare you, as anyone wanting to run suexec should be scared.


```
# ps aux | grep httpd
root   93560  1.6  4.4 19624 11140  ??  Ss    5:56AM   0:00.43 /usr/local/sbin/httpd -k restart
www    93561  0.0  4.4 19648 11188  ??  S     5:56AM   0:00.00 /usr/local/sbin/httpd -k restart
www    93562  0.0  4.4 19648 11188  ??  S     5:56AM   0:00.00 /usr/local/sbin/httpd -k restart
```

This looks to me as a standard prefork-mpm and the first process in that list only keeps check if it needs to spawn or kill more httpd processes and the initial bind to the port. It's the others that actually answeres the http requests and these are run as the user you specify in httpd.conf The users you specify in a suexec enviroment won't show in that ps call.

It seems to me that you want to create an elaborate solution for a few users (perspective is relative) and I wonder if you have considered the following questions:

- Are you going to strictly enforce ACL's and UMOD for all the users no matter the way it's uploaded(ftp, ssh etc) or initially set? A world readable file will still be readable no matter what uid/gid apache runs as.
- Tighten up the configuration on PHP with safemode, safeexec_dir and openbase_dir settings?
- Disable functions in PHP that allow the user to execute system calls?

These are just from the top of my head but for what you are trying to do the first one is very important.

Also remember, the peruser-mpm is designed for linux and we run it on Gentoo Linux, not FreeBSD.


----------



## vask (Feb 9, 2009)

It's not that I "want to create an elaborate solution for a few users" but rather I am exploring possible solutions to user separation/sharing on a single computer where I think it should be much easier than it is.



> - Are you going to strictly enforce ACL's and UMOD for all the users no matter the way it's uploaded(ftp, ssh etc) or initially set? A world readable file will still be readable no matter what uid/gid apache runs as.



I wasn't really planning to strictly enforce ACLs, and I am unsure what UMOD is. I was hoping to accomplish my needs without having to do anything too complicated.  

Ideally I would just like to rely on file permissions and have human users set their file permissions accordingly...  I was  thinking about creating an apache user for each human user's group so people's files wouldn't have to be set as readable by everyone to be viewable on the web.

As for your other suggestions:


> - Tighten up the configuration on PHP with safemode, safeexec_dir and openbase_dir settings?
> - Disable functions in PHP that allow the user to execute system calls?



I was really hoping that my needs could be accomplished with just file permissions...

I know there are a million things I could probably do with security but I am just taking baby steps I guess... exploring and doing research for what my needs are...

I have read a lot of documentation on these user switching modules and was wondering why user switching is needed in the first place... I mean shouldn't 1 instance of apache be able to start and already have all the user credentials setup or loaded depending on what virtual host is called ( emulating 1 instance of apache running per human user on the system )???  This setup wouldn't require user switching at all...  But rather process\Port\IP\whatever selection depending on the request (Perhaps I just described a proxy)...  

THEORETICAL EXAMPLE (Maybe this is what I really want)

Master Apache Process ( decides what Sub-Process\Port\IP\whatever the http request gets sent to... )
- User1 Apache Sub-Process\Port\IP\whatever (always on)
---- web request 2
---- web request 4
- User2 Apache Sub-Process\Port\IP\whatever (always on)
---- web request 3
- User3 Apache Sub-Process\Port\IP\whatever (always on)
- User4 Apache Sub-Process\Port\IP\whatever (always on)
---- web request 1

The big difference I would think with the example above vs 1 instance of apache per human user is that the master apache process would share system resources and run more efficiently...  Basically, it would be intentionally designed with user separation in mind...

However, if apache can already run satisfactorily with 50 or so instances on the same machine (PIII 1GHz 768MB RAM) perhaps all I need is a script to start all the instances up and stop all the instances. Also I would have to know which instance of apache to send my request to...


----------



## gilinko (Feb 10, 2009)

There is a easy way of getting what you want, but it's more of a large scale setup. For apache to behave that way you need to use a reverse proxy frontend(your "master" process) and have it connect to backends which answers on different ports in jails/slices/dedicated servers. But now we are in the region of a web hosting company setup, which is why it feels like you want and elaborate setup rarely seen outside hosting companies and such.

Not worring about the ACL's and UMOD(this is file permission, you know chMOD...) or the configuration of PHP, but enforce strict security on the apache processes is like putting a barbed wire gate with guards in a 1 foot high fence made out of straw... It will look secure from one angle, but it's easily sidestepped.

In the comparison between apache and php, you should be worried about php. php is a huge security concern for any and all runnging a php enabled webserver. I do like php as this is the main language I use for web development for the last 10 years, but I'm fully aware of it's security in relation to web which have improved but probably won't be there until a few releases into the PHP6 branch.


----------



## vivek (Feb 10, 2009)

I had same problem on Freebsd 4.x running Apache for ISP setup (we have 1000 of users on each server). We end up creating jail for each user using sbox. It uses one public IP and creates jail for each user and CGI process such as PHP, Perl and so on. 

http://stein.cshl.org/software/sbox/

Please note that sbox takes some time to setup and implements. Once done you need to write perl or python scripts to manage all stuff.

HTH


----------



## vask (Feb 10, 2009)

@vivek
I had not explored sbox during my research, so I may do that a little more in the future.  Also, I am not sure if the sbox setup will require too many resources,  I only have a single server setup (PIII 1GHz 768MB RAM)

Right now I am trying to settle on using apache WITH_MPM=itk, whose setup seems to be extremely simple. See:
http://forums.freebsd.org/showthread.php?p=12569


----------

