Any of you out there have experience with Apache's suEXEC? I'm trying to build a /var/bin which would basically be the $PATH of a suEXEC user. I was wondering if anyone's come up with any "binary packs", or a group of files that may contain lists of the most common system binaries needed for most CGI's and Perls. I was going to copy /bin, /usr/bin and use those, but then I thought about libraries needed... yeah.
Further, I haven't found a whole lot of information on the subject. Not even on Google. If any of you guys who run this type of setup (NOT ADMINS WHO USE A WEBHOST-IN-A-BOX-SETUP, it's completely different), would you please offer some advice?
Haha. I just want to put together a stable, safe, shared, and complete binary enviornment aside from the system enviornment, and use that as the sudo'd user's $PATH. Heck, I might as well just run ldd on everything, huh? :/
Someone has got to have done this in the past, which is why I ask.
if all you're having is another path for user binaries, just copy over whatever binaries you wish to copy, to /var/bin. the programs that run from there will still use the libraries in /lib, /usr/lib, etc (check your /etc/ld.so.conf)
now if you're talking about chroot'ing your apache.. then you'd have to worry about copying the libraries over.
I don't think it works that way. from what I've read and what I understand, suEXEC relies on a totally isolated enviornment for each user that it suEXEC's to. I don't see how the binaries in said directory would be able to function if they were not allowed to access required libraries. I can think of a number of ways to fake the requirement for a system library, replacing it with a trojaned one, etc etc.
I would think that, for a fact, Apache would rely on a totally isolated user to suEXEC to.