Running suexec on OS X 10.5 (Leopard)


Categories: GeekStuff

As posted on macosxhints last time around, OS X ships with Apache configured so that it would use suexec if suexec were installed, which it isn’t.

You can build a suexec binary, drop it in, and magically suexec will start working. However, more settings are required than used to be.

Download Apache 2.2.6 from the Apache site, unpack it, and run this configure command:

./configure --enable-suexec --with-suexec-docroot=/Users --with-suexec-gidmin=20 --with-suexec-uidmin=501 --with-suexec-logfile=/var/log/apache2/suexec_log --with-suexec-caller=_www --with-suexec-userdir=Sites

The suexec docroot should be a directory under which all user home pages will be found; I used /Users. The gidmin and uidmin settings may or may not be strictly necessary, but they’re correct for a default install. The suexec-caller and suexec-logfile settings are necessary (although you may move the suexec-logfile if you wish), and the suexec-userdir setting is needed unless you changed the default user directory name.

Also, for any user who’s supposed to get CGI, add ExecCGI to the Options list in /etc/apache2/users/.conf.

After the configure runs, run ‘make suexec’, then copy the suexec binary to /usr/bin, and give it root ownership, mode 4755. Restart apache (apachectl restart as root), and you should magically see programs running as their owners, allowing you to have an arguably much more secure system.

No, I don’t know why they don’t just ship the suexec binary.

Comments [archived]

From: Ronny Iversen
Date: 2008-09-29 14:38:23 -0500

Ive tried following the instructions above…however apache2 doesnt seem to be starting suexec… As far as I understand I set each users home /Users//Sites/ and all files ran from there will run as usrname…Still _www though ;(