wiki:faq/server/suexec

Version 4 (modified by Ross, 13 years ago) (diff)

--

How can I run a cgi script with my own user permissions (suExec)?

At May First/People Link, many members share a single server with one instance of a web server. That means that the program that displays one members website is run as the same user (with the same user permissions) as the program the displays every other members' web site.

With web sites that only display information (they don't record any data provided by a web surfer), this setup poses few problems.

However, as we use our web sites to record information submitted by people browsing our web site, we start to run into problems. What if one member has an insecure web site that accidentally lets web site visitors view or delete information about web sites from a different member?

suExec is a method to protect us against that situation. With suExec, every web program runs as a user specific to the web site being displayed. So - the web server that displays the web site for Member A does not have the same permissions as the web server that displays the web site for Member B.

If you are running a PHP script, then suExec is already running (via suPHP). You don't have to make any changes.

If you are running any other kind of cgi script (perl, python, etc.), then you will need to take a few extra steps to get the proper permissions working.

  • Open a ticket requesting a suExec cgi-bin, specifying the user name of the user you would like to have ownership over it. When we receive the request, a May First/People Link admin will create a suexec directory for you.
  • Add the following to your web configuration in your Members Control panel (replace USER with your username and group with your group name):
    SuexecUserGroup USER GROUP
    
  • Place your cgi files in your cgi-bin/suexec directory