Suexec Instructions for Red Hat Linux

Suexec is a part of the apache webserver that allows cgi scripts run as the user in whose directory they are installed, rather than as the user 'nobody' or 'apache'. This can be convenient both for security and practical reasons. The security restrictions imposed by suexec are documented at httpd.apache.org.

While suexec is distributed as part of the apache rpm package by Red Hat Linux 6.X and 7.X, there is no consistency among versions whether suexec is activated by default. Our experience is that suexec is not activated by default in Red Hat Linux 6.2, while it is activated by default in Red Hat Linux 7.2. Some other versions of Red Hat linux reportedly have suexec activated by default, while others evidently do not.

Activating suexec in Red Hat Linux 6.2

Verify that cgi scripts in /home/*/public_html/cgi-bin execute properly when called by /~{user}/cgi-bin/{script.cgi}. Also, verify that cgiwrap is not being used to execute user scripts.
Activate suexec by setting its suid bit (change its permissions from 711 to 4711)

# chmod u+s /usr/sbin/suexec
Restart apache

# /sbin/service httpd restart
Verify that suexec has been enabled

# tail /var/log/httpd/error_log
...[notice] suEXEC mechanism enabled...
Verify that user cgi scripts execute properly. If not, check the suexec log for errors

# tail /var/log/httpd/suexec_log

Using suexec in Red Hat Linux 7.2

Suexec is activated by default in Red Hat Linux 7.2.
If necessary, this can be verified by examining its file permissions (suid bit is set)

$ ls -alF /usr/sbin/suexec
-r-s--x--- 1 root apache 11244 Sep 5 20:12 /usr/sbin/suexec*

by examining the httpd logs

$ grep suexec /var/log/httpd/error_log
...[notice] suEXEC mechanism enabled...
$ tail /var/log/httpd/suexec_log

and by examining the modules compiled into the httpd server

$ /usr/sbin/httpd -l
suexec: enabled; valid wrapper /usr/sbin/suexec

Tips for using suexec

Suexec requires that user cgi scripts not be writable by others, e.g., be 755
Suexec requies that the directory containing a cgi script not be writable by others, e.g., be 755 and not 775.
If suexec fails to execute a user's script, /var/log/httpd/error_log will only indicate "Premature end of script headers"; however, /var/log/httpd/suexec_log will indicate the actual problem, e.g., "error: directory is writable by others"
Red Hat Linux does not automatically rotate the suexec_log, which allows it to grow quite large. Consider adding '/var/log/httpd/suexec_log' to the first line of /etc/logrotate.d/apache.

WebMO and suexec

In order for WebMO to work on an apache web server with suexec enabled, it must follow all of the suexec
requirements, which are stricter than those imposed by apache without suexec or by cgiwrap. Specifically, the cgi
directory must not be writable by others.
For WebMO versions 3.1 and earlier, you must manually change the WebMO cgiBase directory permissions from 777 to 755

$ find ~ -name "globals.int"
$ grep ^cgiBase /{path}/globals.int
$ chmod 755 {cgiBase_directory}

For WebMO versions 3.2 and later, the WebMO cgiBase directory is created
with appropriate file permissions, and no change is needed.