How to enable Apache's suexec support on Mac OS X 10.4 and newer

From ArticleWorld

Suexec is a powerful and highly useful feature of Apache. However, although many system administrators enjoy its power and successfully use it, the Apache version that is built-in in Mac OS X 10.4 and later do not have this feature enabled. Enabling it requires Apache to compiled from sources, but the effort of doing so is significantly rewarded with better security.

A quick introduction

Before explaining how to use suexec correctly, let us dive into a quick introduction.

OS X runs Apache with the UID of a special user, created explicitly for the Apache server. This is done to ensure a certain degree of security. Nevertheless, there are times when you will want to run certain CGI scripts using yet another UID. This what suexec basically does, acting as a wrapper when executing external programs.

Along with the ability to run scripts with a different UID, suexec also:

• Makes it impossible to run external applications/scripts with the UID of root or any other user with administrative privileges
• Makes it impossible to run applications/scripts located outside Apache's webspace (i.e. with paths containing "/" or "..")
• Ensures that the programs/scripts are ran with an UID higher than a minimum, configured value, thus allowing you to "block" system accounts.

Of course, this does have some limitations about how your server can be configured. Nevertheless, it is a good option to have if the machine on which Apache runs serves very important files.

Enabling suexec

This involves compiling Apache from the sources. You should read the Apache documentation regarding this stage thoroughly, to ensure that you understand any additional options you may want to pass.

1) Get the Apache sources from http://httpd.apache.org/ . The version that comes with OS X 10.4 is 1.3.3, so it would be a good option to get the same one as well. In fact, if you do not depend on bleeding-edge features, using an older, but more stable Apache version, can prove helpful and, why not, more secure. If you plan to obtain a new version of Apache, you will have to install it thoroughly. However, if you get the version included with OS X and only include the options below, you can safely use just the suexec executable it compiles. In fact, this is the method we will use.

2) Unpack the sources and run the configure script (./configure), passing the relevant arguments to it. In order to build it on OS X and enable suexec, the minimum required options are:

./configure --enable-suexec --suexec-caller=www \
--suexec-docroot=/Library/WebServer/Documents \
--suexec-userdir=Sites \
--with-layout=Darwin

3) Launch the compilation:

make -j2

4) Copy suexec to /usr/sbin (or somewhere else, depending on how you want your configuration):

sudo cp src/support/suexec /usr/sbin/suexec

Note that, if you are using a different Apache version than the one included with OS X, you should probably install it instead of taking just the suexec executable.

5) Set the copied suexec's SUID root bit:

chmod 4755 /usr/sbin/suexec

Note that having programs SUID root can be potentially dangerous. Make sure you understand what this means.

6) Restart Apache:

sudo apachectl restart

Notes

Although you may be tempted to use apachectl graceful instead of restart, you should not: the former will not allow you to use suexec. Apache will only load suexec if it is restarted, or explicitly stopped and started again.