Hi,

I was talking to an admin about upgrading to suexec and he was telling me that it could be less secure. Is this true?

2. What would be other downsides to me changing my server to use suexec?

Would you suggest I change it to suexec? What is the best way to change?

Thanks!!

suEXEC is suppose to add more protetion. It runs CGI scripts under their own usernames.

"2. What would be other downsides to me changing my server to use suexec? "

Users might have problem do to chmod and permissions on the directories. I would check the suexec_log to see what's the problem.

If I have a server that does not use suexec, when I change it, will users have to make a lot of changes? Will the basic scripts work?

Well not a LOT of changes but some are:

CHMODing their scripts to 755 or removing write permissions to the directories that the scripts are located in. Basically files must be chmoded to 755.

If implemented correctly, the user's scripts would only need to be executable by the user. I'm not sure why they would need to be executable by everyone, unless you wanted to let everyone execute them.

Typically, you would make the user's home directory owned by him or her and set the group ownership for the directory to the user that the web server runs as, and not world readable.

I'm not sure why someone would say that using suexec was less secure than not using it. If your users are all using the same web server, it would be more secure for them if you were using suexec because they would not be able to invade eachother's privacy as easily.

But no, not all features of suexec are inherently "secure". Some of the checks that it does for docroot before it allows a script to be executed could be better. As long as you don't care about the docroot feature, the scripts are still being run as the user and not as the web server user, which is the main feature, and it works great.

I can't think of any downsides to start using it, except those users who previously enjoyed reading other users' documents won't be able to do it anymore, which might frustrate them.

The best way to get started would be to read the docs on apache's web site for suexec.

Originally posted by bitserve
I can't think of any downsides to start using it, except those users who previously enjoyed reading other users' documents won't be able to do it anymore, which might frustrate them.

s/documents/credit card numbers/

;)

Why would anyone store credit cards that can be viewed from the browser?

Originally posted by Shyne
Why would anyone store credit cards that can be viewed from the browser?

Who said that anyone would? My point was that, without suexec, other users on the machine can read credit card values used by your cgi scripts.

Originally posted by cperciva


s/documents/credit card numbers/

;)

:) Actually, hopefully the users aren't currently accepting credit card information or anything sensitive on their web site.