• Home
• Frequently Asked Questions
• Dynamic Content
  Rules
• Using MTU ISO
• Site Security
• Becoming an RSO
• RSO Web Space
• RSO Database
• Suggestions or Comments?
• Past Update Notices

Site Security and suexec

I'll try to go through this as simply as possible. The goal is always a concise explanation without room for confusion. However, explaining suexec is going to have to be a long one I'm afraid.

On most web servers, including Apache, CGI (Perl and Shell programs) and PHP programs execute as the user and group of the web server. Most have this setup out of laziness or because they do not realize it does not have to be this way. With the suexec concept, all scripts and programs will be executed as the user and group of the account, i.e. your student organization login, instead of the web server's user and group, frequently "nobody".

Why is this important to us? Mostly because of file permissions. The use of 777 file permissions to be more precise. (See unix file permissions for an in-depth discussion of file permissions.) In an older setup programs execute as the user and group of the web server which is usually "nobody". Under this mode, files or directories that you require your programs to write to need 777 file permissions (read/write/execute at user/group/world level). This is not very secure. Besides allowing the web server to write to the file, it also allows anyone else to read or write to the file. It makes you ask yourself why this has been the default way all along, right?

In a newer setup with suexec enabled your programs and scripts now execute under your user and group level. Files or directories that you require your programs and scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). If all your files are owned only be you, they are well protected at the operating system level.

Some of you more savvy web folks out there might be thinking, but PHP programs use an Apache module, so the suexec concept won't work will it? Not so. This web server simulates the PHP Apache module and handing the processing off to the PHP interpreter.

For even more information on how we employ the suexec concept on your web server visit the following links.
Apache suEXEC Support
suPHP

1400 Townsend Drive, Houghton, Michigan 49931-1295
USG Email: usg@mtu.edu
Student Organization Webmaster
Last Updated: May 22, 2006