<p>Requests for CGI programs will call the suEXEC wrapper only if
they are for a virtual host containing a <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if
they are processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code>.</p>
<p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC
wrapper is through the <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in
<code class="directive"><a href="./mod/core.html#virtualhost">VirtualHost</a></code> definitions. By
setting this directive to values different from the main server
user ID, all requests for CGI resources will be executed as the
<em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code>. If this
directive is not specified for a <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code> then the main server userid
is assumed.</p>
<p><strong>User directories:</strong><br /> Requests that are
processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC
wrapper to execute CGI programs under the userid of the requested
user directory. The only requirement needed for this feature to
work is for CGI execution to be enabled for the user and that the
script must meet the scrutiny of the <a href="#model">security
<h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock:
Warnings & Examples</a></h2>
<p><strong>NOTE!</strong> This section may not be
complete. For the latest revision of this section of the
documentation, see the Apache Group's <a href="http://httpd.apache.org/docs-2.0/suexec.html">Online
Documentation</a> version.</p>
<p>There are a few points of interest regarding
the wrapper that can cause limitations on server setup. Please
review these before submitting any "bugs" regarding suEXEC.</p>
<ul>
<li><strong>suEXEC Points Of Interest</strong></li>
<li>
Hierarchy limitations
<p class="indent">
For security and efficiency reasons, all suEXEC requests
must remain within either a top-level document root for
virtual host requests, or one top-level personal document
root for userdir requests. For example, if you have four
VirtualHosts configured, you would need to structure all
of your VHosts' document roots off of one main Apache
document hierarchy to take advantage of suEXEC for
VirtualHosts. (Example forthcoming.)
</p>
</li>
<li>
suEXEC's PATH environment variable
<p class="indent">
This can be a dangerous thing to change. Make certain
every path you include in this define is a
<strong>trusted</strong> directory. You don't want to
open people up to having someone from across the world
running a trojan horse on them.
</p>
</li>
<li>
Altering the suEXEC code
<p class="indent">
Again, this can cause <strong>Big Trouble</strong> if you
try this without knowing what you are doing. Stay away
from it if at all possible.
</p>
</li>
</ul>
</div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="./en/suexec.html" title="English"> en </a> |
<a href="./ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
<a href="./ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a></p>
</div><div id="footer">
<p class="apache">Copyright 1999-2004 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>