1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>suEXEC Support - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body id="manual-page"><div id="page-header"> 17<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 18<p class="apache">Apache HTTP Server Version 2.4</p> 19<img alt="" src="/images/feather.gif" /></div> 20<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 21<div id="path"> 22<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="./">Version 2.4</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1> 23<div class="toplang"> 24<p><span>Available Languages: </span><a href="/en/suexec.html" title="English"> en </a> | 25<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> | 26<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | 27<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | 28<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p> 29</div> 30 31 <p>The <strong>suEXEC</strong> feature provides users of the Apache 32 HTTP Server the ability 33 to run <strong>CGI</strong> and <strong>SSI</strong> programs 34 under user IDs different from the user ID of the calling 35 web server. Normally, when a CGI or SSI program executes, it 36 runs as the same user who is running the web server.</p> 37 38 <p>Used properly, this feature can reduce 39 considerably the security risks involved with allowing users to 40 develop and run private CGI or SSI programs. However, if suEXEC 41 is improperly configured, it can cause any number of problems 42 and possibly create new holes in your computer's security. If 43 you aren't familiar with managing <em>setuid root</em> programs 44 and the security issues they present, we highly recommend that 45 you not consider using suEXEC.</p> 46 </div> 47<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#before">Before we begin</a></li> 48<li><img alt="" src="/images/down.gif" /> <a href="#model">suEXEC Security Model</a></li> 49<li><img alt="" src="/images/down.gif" /> <a href="#install">Configuring & Installing 50 suEXEC</a></li> 51<li><img alt="" src="/images/down.gif" /> <a href="#enable">Enabling & Disabling 52 suEXEC</a></li> 53<li><img alt="" src="/images/down.gif" /> <a href="#usage">Using suEXEC</a></li> 54<li><img alt="" src="/images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li> 55<li><img alt="" src="/images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock: 56 Warnings & Examples</a></li> 57</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 58<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 59<div class="section"> 60<h2><a name="before" id="before">Before we begin</a></h2> 61 62 <p>Before jumping head-first into this document, 63 you should be aware that certain assumptions are made about you and 64 the environment in which you will be using suexec.</p> 65 66 <p>First, it is assumed that you are using a UNIX 67 derivative operating system that is capable of 68 <strong>setuid</strong> and <strong>setgid</strong> operations. 69 All command examples are given in this regard. Other platforms, 70 if they are capable of supporting suEXEC, may differ in their 71 configuration.</p> 72 73 <p>Second, it is assumed you are familiar with 74 some basic concepts of your computer's security and its 75 administration. This involves an understanding of 76 <strong>setuid/setgid</strong> operations and the various 77 effects they may have on your system and its level of 78 security.</p> 79 80 <p>Third, it is assumed that you are using an 81 <strong>unmodified</strong> version of suEXEC code. All code 82 for suEXEC has been carefully scrutinized and tested by the 83 developers as well as numerous beta testers. Every precaution 84 has been taken to ensure a simple yet solidly safe base of 85 code. Altering this code can cause unexpected problems and new 86 security risks. It is <strong>highly</strong> recommended you 87 not alter the suEXEC code unless you are well versed in the 88 particulars of security programming and are willing to share 89 your work with the Apache HTTP Server development team for consideration.</p> 90 91 <p>Fourth, and last, it has been the decision of 92 the Apache HTTP Server development team to <strong>NOT</strong> make suEXEC part of 93 the default installation of Apache httpd. To this end, suEXEC 94 configuration requires of the administrator careful attention 95 to details. After due consideration has been given to the 96 various settings for suEXEC, the administrator may install 97 suEXEC through normal installation methods. The values for 98 these settings need to be carefully determined and specified by 99 the administrator to properly maintain system security during 100 the use of suEXEC functionality. It is through this detailed 101 process that we hope to limit suEXEC 102 installation only to those who are careful and determined 103 enough to use it.</p> 104 105 <p>Still with us? Yes? Good. Let's move on!</p> 106</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 107<div class="section"> 108<h2><a name="model" id="model">suEXEC Security Model</a></h2> 109 110 <p>Before we begin configuring and installing 111 suEXEC, we will first discuss the security model you are about 112 to implement. By doing so, you may better understand what 113 exactly is going on inside suEXEC and what precautions are 114 taken to ensure your system's security.</p> 115 116 <p><strong>suEXEC</strong> is based on a setuid 117 "wrapper" program that is called by the main Apache HTTP Server. 118 This wrapper is called when an HTTP request is made for a CGI 119 or SSI program that the administrator has designated to run as 120 a userid other than that of the main server. When such a 121 request is made, Apache httpd provides the suEXEC wrapper with the 122 program's name and the user and group IDs under which the 123 program is to execute.</p> 124 125 <p>The wrapper then employs the following process 126 to determine success or failure -- if any one of these 127 conditions fail, the program logs the failure and exits with an 128 error, otherwise it will continue:</p> 129 130 <ol> 131 <li> 132 <strong>Is the user executing this wrapper a valid user of 133 this system?</strong> 134 135 <p class="indent"> 136 This is to ensure that the user executing the wrapper is 137 truly a user of the system. 138 </p> 139 </li> 140 141 <li> 142 <strong>Was the wrapper called with the proper number of 143 arguments?</strong> 144 145 <p class="indent"> 146 The wrapper will only execute if it is given the proper 147 number of arguments. The proper argument format is known 148 to the Apache HTTP Server. If the wrapper is not receiving 149 the proper number of arguments, it is either being 150 hacked, or there is something wrong with the suEXEC 151 portion of your Apache httpd binary. 152 </p> 153 </li> 154 155 <li> 156 <strong>Is this valid user allowed to run the 157 wrapper?</strong> 158 159 <p class="indent"> 160 Is this user the user allowed to run this wrapper? Only 161 one user (the Apache user) is allowed to execute this 162 program. 163 </p> 164 </li> 165 166 <li> 167 <strong>Does the target CGI or SSI program have an unsafe 168 hierarchical reference?</strong> 169 170 <p class="indent"> 171 Does the target CGI or SSI program's path contain a leading 172 '/' or have a '..' backreference? These are not allowed; the 173 target CGI/SSI program must reside within suEXEC's document 174 root (see <code>--with-suexec-docroot=<em>DIR</em></code> 175 below). 176 </p> 177 </li> 178 179 <li> 180 <strong>Is the target user name valid?</strong> 181 182 <p class="indent"> 183 Does the target user exist? 184 </p> 185 </li> 186 187 <li> 188 <strong>Is the target group name valid?</strong> 189 190 <p class="indent"> 191 Does the target group exist? 192 </p> 193 </li> 194 195 <li> 196 <strong>Is the target user <em>NOT</em> superuser?</strong> 197 198 199 <p class="indent"> 200 suEXEC does not allow <code><em>root</em></code> 201 to execute CGI/SSI programs. 202 </p> 203 </li> 204 205 <li> 206 <strong>Is the target userid <em>ABOVE</em> the minimum ID 207 number?</strong> 208 209 <p class="indent"> 210 The minimum user ID number is specified during 211 configuration. This allows you to set the lowest possible 212 userid that will be allowed to execute CGI/SSI programs. 213 This is useful to block out "system" accounts. 214 </p> 215 </li> 216 217 <li> 218 <strong>Is the target group <em>NOT</em> the superuser 219 group?</strong> 220 221 <p class="indent"> 222 Presently, suEXEC does not allow the <code><em>root</em></code> 223 group to execute CGI/SSI programs. 224 </p> 225 </li> 226 227 <li> 228 <strong>Is the target groupid <em>ABOVE</em> the minimum ID 229 number?</strong> 230 231 <p class="indent"> 232 The minimum group ID number is specified during 233 configuration. This allows you to set the lowest possible 234 groupid that will be allowed to execute CGI/SSI programs. 235 This is useful to block out "system" groups. 236 </p> 237 </li> 238 239 <li> 240 <strong>Can the wrapper successfully become the target user 241 and group?</strong> 242 243 <p class="indent"> 244 Here is where the program becomes the target user and 245 group via setuid and setgid calls. The group access list 246 is also initialized with all of the groups of which the 247 user is a member. 248 </p> 249 </li> 250 251 <li> 252 <strong>Can we change directory to the one in which the target 253 CGI/SSI program resides?</strong> 254 255 <p class="indent"> 256 If it doesn't exist, it can't very well contain files. If we 257 can't change directory to it, it might as well not exist. 258 </p> 259 </li> 260 261 <li> 262 <strong>Is the directory within the httpd webspace?</strong> 263 264 <p class="indent"> 265 If the request is for a regular portion of the server, is 266 the requested directory within suEXEC's document root? If 267 the request is for a <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory 268 within the directory configured as suEXEC's userdir (see 269 <a href="#install">suEXEC's configuration options</a>)? 270 </p> 271 </li> 272 273 <li> 274 <strong>Is the directory <em>NOT</em> writable by anyone 275 else?</strong> 276 277 <p class="indent"> 278 We don't want to open up the directory to others; only 279 the owner user may be able to alter this directories 280 contents. 281 </p> 282 </li> 283 284 <li> 285 <strong>Does the target CGI/SSI program exist?</strong> 286 287 <p class="indent"> 288 If it doesn't exists, it can't very well be executed. 289 </p> 290 </li> 291 292 <li> 293 <strong>Is the target CGI/SSI program <em>NOT</em> writable 294 by anyone else?</strong> 295 296 <p class="indent"> 297 We don't want to give anyone other than the owner the 298 ability to change the CGI/SSI program. 299 </p> 300 </li> 301 302 <li> 303 <strong>Is the target CGI/SSI program <em>NOT</em> setuid or 304 setgid?</strong> 305 306 <p class="indent"> 307 We do not want to execute programs that will then change 308 our UID/GID again. 309 </p> 310 </li> 311 312 <li> 313 <strong>Is the target user/group the same as the program's 314 user/group?</strong> 315 316 <p class="indent"> 317 Is the user the owner of the file? 318 </p> 319 </li> 320 321 <li> 322 <strong>Can we successfully clean the process environment 323 to ensure safe operations?</strong> 324 325 <p class="indent"> 326 suEXEC cleans the process' environment by establishing a 327 safe execution PATH (defined during configuration), as 328 well as only passing through those variables whose names 329 are listed in the safe environment list (also created 330 during configuration). 331 </p> 332 </li> 333 334 <li> 335 <strong>Can we successfully become the target CGI/SSI program 336 and execute?</strong> 337 338 <p class="indent"> 339 Here is where suEXEC ends and the target CGI/SSI program begins. 340 </p> 341 </li> 342 </ol> 343 344 <p>This is the standard operation of the 345 suEXEC wrapper's security model. It is somewhat stringent and 346 can impose new limitations and guidelines for CGI/SSI design, 347 but it was developed carefully step-by-step with security in 348 mind.</p> 349 350 <p>For more information as to how this security 351 model can limit your possibilities in regards to server 352 configuration, as well as what security risks can be avoided 353 with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this 354 document.</p> 355</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 356<div class="section"> 357<h2><a name="install" id="install">Configuring & Installing 358 suEXEC</a></h2> 359 360 <p>Here's where we begin the fun.</p> 361 362 <p><strong>suEXEC configuration 363 options</strong><br /> 364 </p> 365 366 <dl> 367 <dt><code>--enable-suexec</code></dt> 368 369 <dd>This option enables the suEXEC feature which is never 370 installed or activated by default. At least one 371 <code>--with-suexec-xxxxx</code> option has to be provided 372 together with the <code>--enable-suexec</code> option to let 373 APACI accept your request for using the suEXEC feature.</dd> 374 375 <dt><code>--with-suexec-bin=<em>PATH</em></code></dt> 376 377 <dd>The path to the <code>suexec</code> binary must be hard-coded 378 in the server for security reasons. Use this option to override 379 the default path. <em>e.g.</em> 380 <code>--with-suexec-bin=/usr/sbin/suexec</code></dd> 381 382 <dt><code>--with-suexec-caller=<em>UID</em></code></dt> 383 384 <dd>The <a href="mod/mpm_common.html#user">username</a> under which 385 httpd normally runs. This is the only user allowed to 386 execute the suEXEC wrapper.</dd> 387 388 <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt> 389 390 <dd>Define to be the subdirectory under users' home 391 directories where suEXEC access should be allowed. All 392 executables under this directory will be executable by suEXEC 393 as the user so they should be "safe" programs. If you are 394 using a "simple" <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> 395 directive (ie. one without a "*" in it) this should be set to the same 396 value. suEXEC will not work properly in cases where the <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> directive points to 397 a location that is not the same as the user's home directory 398 as referenced in the <code>passwd</code> file. Default value is 399 "<code>public_html</code>".<br /> 400 If you have virtual hosts with a different <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> for each, 401 you will need to define them to all reside in one parent 402 directory; then name that parent directory here. <strong>If 403 this is not defined properly, "~userdir" cgi requests will 404 not work!</strong></dd> 405 406 <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt> 407 408 <dd>Define as the DocumentRoot set for httpd. This will be 409 the only hierarchy (aside from <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The 410 default directory is the <code>--datadir</code> value with the suffix 411 "<code>/htdocs</code>", <em>e.g.</em> if you configure with 412 "<code>--datadir=/home/apache</code>" the directory 413 "<code>/home/apache/htdocs</code>" is used as document root for the 414 suEXEC wrapper.</dd> 415 416 <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt> 417 418 <dd>Define this as the lowest UID allowed to be a target user 419 for suEXEC. For most systems, 500 or 100 is common. Default 420 value is 100.</dd> 421 422 <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt> 423 424 <dd>Define this as the lowest GID allowed to be a target 425 group for suEXEC. For most systems, 100 is common and 426 therefore used as default value.</dd> 427 428 <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt> 429 430 <dd>This defines the filename to which all suEXEC 431 transactions and errors are logged (useful for auditing and 432 debugging purposes). By default the logfile is named 433 "<code>suexec_log</code>" and located in your standard logfile 434 directory (<code>--logfiledir</code>).</dd> 435 436 <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt> 437 438 <dd>Define a safe PATH environment to pass to CGI 439 executables. Default value is 440 "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd> 441 </dl> 442 443 <h3>Compiling and installing the suEXEC wrapper</h3> 444 445 446 <p>If you have enabled the suEXEC feature with the 447 <code>--enable-suexec</code> option the <code>suexec</code> binary 448 (together with httpd itself) is automatically built if you execute 449 the <code>make</code> command.</p> 450 451 <p>After all components have been built you can execute the 452 command <code>make install</code> to install them. The binary image 453 <code>suexec</code> is installed in the directory defined by the 454 <code>--sbindir</code> option. The default location is 455 "/usr/local/apache2/bin/suexec".</p> 456 457 <p>Please note that you need <strong><em>root 458 privileges</em></strong> for the installation step. In order 459 for the wrapper to set the user ID, it must be installed as 460 owner <code><em>root</em></code> and must have the setuserid 461 execution bit set for file modes.</p> 462 463 464 <h3>Setting paranoid permissions</h3> 465 466 467 <p>Although the suEXEC wrapper will check to ensure that its 468 caller is the correct user as specified with the 469 <code>--with-suexec-caller</code> <code class="program"><a href="/programs/configure.html">configure</a></code> 470 option, there is 471 always the possibility that a system or library call suEXEC uses 472 before this check may be exploitable on your system. To counter 473 this, and because it is best-practise in general, you should use 474 filesystem permissions to ensure that only the group httpd 475 runs as may execute suEXEC.</p> 476 477 <p>If for example, your web server is configured to run as:</p> 478 479 <pre class="prettyprint lang-config">User www 480Group webgroup</pre> 481 482 483 <p>and <code class="program"><a href="/programs/suexec.html">suexec</a></code> is installed at 484 "/usr/local/apache2/bin/suexec", you should run:</p> 485 486 <div class="example"><p><code> 487 chgrp webgroup /usr/local/apache2/bin/suexec<br /> 488 chmod 4750 /usr/local/apache2/bin/suexec<br /> 489 </code></p></div> 490 491 <p>This will ensure that only the group httpd runs as can even 492 execute the suEXEC wrapper.</p> 493 494</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 495<div class="section"> 496<h2><a name="enable" id="enable">Enabling & Disabling 497 suEXEC</a></h2> 498 499 <p>Upon startup of httpd, it looks for the file 500 <code class="program"><a href="/programs/suexec.html">suexec</a></code> in the directory defined by the 501 <code>--sbindir</code> option (default is 502 "/usr/local/apache/sbin/suexec"). If httpd finds a properly 503 configured suEXEC wrapper, it will print the following message 504 to the error log:</p> 505 506<div class="example"><p><code> 507 [notice] suEXEC mechanism enabled (wrapper: <var>/path/to/suexec</var>) 508</code></p></div> 509 510 <p>If you don't see this message at server startup, the server is 511 most likely not finding the wrapper program where it expects 512 it, or the executable is not installed <em>setuid root</em>.</p> 513 514 <p>If you want to enable the suEXEC mechanism for the first time 515 and an Apache HTTP Server is already running you must kill and 516 restart httpd. Restarting it with a simple HUP or USR1 signal 517 will not be enough. </p> 518 <p>If you want to disable suEXEC you should kill and restart 519 httpd after you have removed the <code class="program"><a href="/programs/suexec.html">suexec</a></code> file.</p> 520</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 521<div class="section"> 522<h2><a name="usage" id="usage">Using suEXEC</a></h2> 523 524 <p>Requests for CGI programs will call the suEXEC wrapper only if 525 they are for a virtual host containing a <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if 526 they are processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code>.</p> 527 528 <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC 529 wrapper is through the <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in 530 <code class="directive"><a href="/mod/core.html#virtualhost">VirtualHost</a></code> definitions. By 531 setting this directive to values different from the main server 532 user ID, all requests for CGI resources will be executed as the 533 <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code>. If this 534 directive is not specified for a <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code> then the main server userid 535 is assumed.</p> 536 537 <p><strong>User directories:</strong><br /> Requests that are 538 processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC 539 wrapper to execute CGI programs under the userid of the requested 540 user directory. The only requirement needed for this feature to 541 work is for CGI execution to be enabled for the user and that the 542 script must meet the scrutiny of the <a href="#model">security 543 checks</a> above. See also the 544 <code>--with-suexec-userdir</code> <a href="#install">compile 545 time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 546<div class="section"> 547<h2><a name="debug" id="debug">Debugging suEXEC</a></h2> 548 549 <p>The suEXEC wrapper will write log information 550 to the file defined with the <code>--with-suexec-logfile</code> 551 option as indicated above. If you feel you have configured and 552 installed the wrapper properly, have a look at this log and the 553 error_log for the server to see where you may have gone astray.</p> 554 555</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 556<div class="section"> 557<h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock: 558 Warnings & Examples</a></h2> 559 560 <p><strong>NOTE!</strong> This section may not be 561 complete. For the latest revision of this section of the 562 documentation, see the <a href="http://httpd.apache.org/docs/2.4/suexec.html">Online 563 Documentation</a> version.</p> 564 565 <p>There are a few points of interest regarding 566 the wrapper that can cause limitations on server setup. Please 567 review these before submitting any "bugs" regarding suEXEC.</p> 568 569 <ul> 570 <li><strong>suEXEC Points Of Interest</strong></li> 571 572 <li> 573 Hierarchy limitations 574 575 <p class="indent"> 576 For security and efficiency reasons, all suEXEC requests 577 must remain within either a top-level document root for 578 virtual host requests, or one top-level personal document 579 root for userdir requests. For example, if you have four 580 VirtualHosts configured, you would need to structure all 581 of your VHosts' document roots off of one main httpd 582 document hierarchy to take advantage of suEXEC for 583 VirtualHosts. (Example forthcoming.) 584 </p> 585 </li> 586 587 <li> 588 suEXEC's PATH environment variable 589 590 <p class="indent"> 591 This can be a dangerous thing to change. Make certain 592 every path you include in this define is a 593 <strong>trusted</strong> directory. You don't want to 594 open people up to having someone from across the world 595 running a trojan horse on them. 596 </p> 597 </li> 598 599 <li> 600 Altering the suEXEC code 601 602 <p class="indent"> 603 Again, this can cause <strong>Big Trouble</strong> if you 604 try this without knowing what you are doing. Stay away 605 from it if at all possible. 606 </p> 607 </li> 608 </ul> 609 610</div></div> 611<div class="bottomlang"> 612<p><span>Available Languages: </span><a href="/en/suexec.html" title="English"> en </a> | 613<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> | 614<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | 615<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | 616<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p> 617</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 618<script type="text/javascript"><!--//--><![CDATA[//><!-- 619var comments_shortname = 'httpd'; 620var comments_identifier = 'http://httpd.apache.org/docs/2.4/suexec.html'; 621(function(w, d) { 622 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 623 d.write('<div id="comments_thread"><\/div>'); 624 var s = d.createElement('script'); 625 s.type = 'text/javascript'; 626 s.async = true; 627 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 628 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 629 } 630 else { 631 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 632 } 633})(window, document); 634//--><!]]></script></div><div id="footer"> 635<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 636<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 637if (typeof(prettyPrint) !== 'undefined') { 638 prettyPrint(); 639} 640//--><!]]></script> 641</body></html>