1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>suEXEC Support - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body id="manual-page"><div id="page-header"> 17<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 18<p class="apache">Apache HTTP Server Version 2.2</p> 19<img alt="" src="/images/feather.gif" /></div> 20<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 21<div id="path"> 22<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="./">Version 2.2</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1> 23<div class="toplang"> 24<p><span>Available Languages: </span><a href="/en/suexec.html" title="English"> en </a> | 25<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> | 26<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | 27<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | 28<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p> 29</div> 30 31 <p>The <strong>suEXEC</strong> feature provides 32 Apache users the ability 33 to run <strong>CGI</strong> and <strong>SSI</strong> programs 34 under user IDs different from the user ID of the calling 35 web server. Normally, when a CGI or SSI program executes, it 36 runs as the same user who is running the web server.</p> 37 38 <p>Used properly, this feature can reduce 39 considerably the security risks involved with allowing users to 40 develop and run private CGI or SSI programs. However, if suEXEC 41 is improperly configured, it can cause any number of problems 42 and possibly create new holes in your computer's security. If 43 you aren't familiar with managing <em>setuid root</em> programs 44 and the security issues they present, we highly recommend that 45 you not consider using suEXEC.</p> 46 </div> 47<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#before">Before we begin</a></li> 48<li><img alt="" src="/images/down.gif" /> <a href="#model">suEXEC Security Model</a></li> 49<li><img alt="" src="/images/down.gif" /> <a href="#install">Configuring & Installing 50 suEXEC</a></li> 51<li><img alt="" src="/images/down.gif" /> <a href="#enable">Enabling & Disabling 52 suEXEC</a></li> 53<li><img alt="" src="/images/down.gif" /> <a href="#usage">Using suEXEC</a></li> 54<li><img alt="" src="/images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li> 55<li><img alt="" src="/images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock: 56 Warnings & Examples</a></li> 57</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 58<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 59<div class="section"> 60<h2><a name="before" id="before">Before we begin</a></h2> 61 62 <p>Before jumping head-first into this document, 63 you should be aware of the assumptions made on the part of the 64 Apache Group and this document.</p> 65 66 <p>First, it is assumed that you are using a UNIX 67 derivative operating system that is capable of 68 <strong>setuid</strong> and <strong>setgid</strong> operations. 69 All command examples are given in this regard. Other platforms, 70 if they are capable of supporting suEXEC, may differ in their 71 configuration.</p> 72 73 <p>Second, it is assumed you are familiar with 74 some basic concepts of your computer's security and its 75 administration. This involves an understanding of 76 <strong>setuid/setgid</strong> operations and the various 77 effects they may have on your system and its level of 78 security.</p> 79 80 <p>Third, it is assumed that you are using an 81 <strong>unmodified</strong> version of suEXEC code. All code 82 for suEXEC has been carefully scrutinized and tested by the 83 developers as well as numerous beta testers. Every precaution 84 has been taken to ensure a simple yet solidly safe base of 85 code. Altering this code can cause unexpected problems and new 86 security risks. It is <strong>highly</strong> recommended you 87 not alter the suEXEC code unless you are well versed in the 88 particulars of security programming and are willing to share 89 your work with the Apache Group for consideration.</p> 90 91 <p>Fourth, and last, it has been the decision of 92 the Apache Group to <strong>NOT</strong> make suEXEC part of 93 the default installation of Apache. To this end, suEXEC 94 configuration requires of the administrator careful attention 95 to details. After due consideration has been given to the 96 various settings for suEXEC, the administrator may install 97 suEXEC through normal installation methods. The values for 98 these settings need to be carefully determined and specified by 99 the administrator to properly maintain system security during 100 the use of suEXEC functionality. It is through this detailed 101 process that the Apache Group hopes to limit suEXEC 102 installation only to those who are careful and determined 103 enough to use it.</p> 104 105 <p>Still with us? Yes? Good. Let's move on!</p> 106</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 107<div class="section"> 108<h2><a name="model" id="model">suEXEC Security Model</a></h2> 109 110 <p>Before we begin configuring and installing 111 suEXEC, we will first discuss the security model you are about 112 to implement. By doing so, you may better understand what 113 exactly is going on inside suEXEC and what precautions are 114 taken to ensure your system's security.</p> 115 116 <p><strong>suEXEC</strong> is based on a setuid 117 "wrapper" program that is called by the main Apache web server. 118 This wrapper is called when an HTTP request is made for a CGI 119 or SSI program that the administrator has designated to run as 120 a userid other than that of the main server. When such a 121 request is made, Apache provides the suEXEC wrapper with the 122 program's name and the user and group IDs under which the 123 program is to execute.</p> 124 125 <p>The wrapper then employs the following process 126 to determine success or failure -- if any one of these 127 conditions fail, the program logs the failure and exits with an 128 error, otherwise it will continue:</p> 129 130 <ol> 131 <li> 132 <strong>Is the user executing this wrapper a valid user of 133 this system?</strong> 134 135 <p class="indent"> 136 This is to ensure that the user executing the wrapper is 137 truly a user of the system. 138 </p> 139 </li> 140 141 <li> 142 <strong>Was the wrapper called with the proper number of 143 arguments?</strong> 144 145 <p class="indent"> 146 The wrapper will only execute if it is given the proper 147 number of arguments. The proper argument format is known 148 to the Apache web server. If the wrapper is not receiving 149 the proper number of arguments, it is either being 150 hacked, or there is something wrong with the suEXEC 151 portion of your Apache binary. 152 </p> 153 </li> 154 155 <li> 156 <strong>Is this valid user allowed to run the 157 wrapper?</strong> 158 159 <p class="indent"> 160 Is this user the user allowed to run this wrapper? Only 161 one user (the Apache user) is allowed to execute this 162 program. 163 </p> 164 </li> 165 166 <li> 167 <strong>Does the target CGI or SSI program have an unsafe 168 hierarchical reference?</strong> 169 170 <p class="indent"> 171 Does the target CGI or SSI program's path contain a leading 172 '/' or have a '..' backreference? These are not allowed; the 173 target CGI/SSI program must reside within suEXEC's document 174 root (see <code>--with-suexec-docroot=<em>DIR</em></code> 175 below). 176 </p> 177 </li> 178 179 <li> 180 <strong>Is the target user name valid?</strong> 181 182 <p class="indent"> 183 Does the target user exist? 184 </p> 185 </li> 186 187 <li> 188 <strong>Is the target group name valid?</strong> 189 190 <p class="indent"> 191 Does the target group exist? 192 </p> 193 </li> 194 195 <li> 196 <strong>Is the target user <em>NOT</em> superuser?</strong> 197 198 199 <p class="indent"> 200 suEXEC does not allow <code><em>root</em></code> 201 to execute CGI/SSI programs. 202 </p> 203 </li> 204 205 <li> 206 <strong>Is the target userid <em>ABOVE</em> the minimum ID 207 number?</strong> 208 209 <p class="indent"> 210 The minimum user ID number is specified during 211 configuration. This allows you to set the lowest possible 212 userid that will be allowed to execute CGI/SSI programs. 213 This is useful to block out "system" accounts. 214 </p> 215 </li> 216 217 <li> 218 <strong>Is the target group <em>NOT</em> the superuser 219 group?</strong> 220 221 <p class="indent"> 222 Presently, suEXEC does not allow the <code><em>root</em></code> 223 group to execute CGI/SSI programs. 224 </p> 225 </li> 226 227 <li> 228 <strong>Is the target groupid <em>ABOVE</em> the minimum ID 229 number?</strong> 230 231 <p class="indent"> 232 The minimum group ID number is specified during 233 configuration. This allows you to set the lowest possible 234 groupid that will be allowed to execute CGI/SSI programs. 235 This is useful to block out "system" groups. 236 </p> 237 </li> 238 239 <li> 240 <strong>Can the wrapper successfully become the target user 241 and group?</strong> 242 243 <p class="indent"> 244 Here is where the program becomes the target user and 245 group via setuid and setgid calls. The group access list 246 is also initialized with all of the groups of which the 247 user is a member. 248 </p> 249 </li> 250 251 <li> 252 <strong>Can we change directory to the one in which the target 253 CGI/SSI program resides?</strong> 254 255 <p class="indent"> 256 If it doesn't exist, it can't very well contain files. If we 257 can't change directory to it, it might aswell not exist. 258 </p> 259 </li> 260 261 <li> 262 <strong>Is the directory within the Apache 263 webspace?</strong> 264 265 <p class="indent"> 266 If the request is for a regular portion of the server, is 267 the requested directory within suEXEC's document root? If 268 the request is for a <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory 269 within the directory configured as suEXEC's userdir (see 270 <a href="#install">suEXEC's configuration options</a>)? 271 </p> 272 </li> 273 274 <li> 275 <strong>Is the directory <em>NOT</em> writable by anyone 276 else?</strong> 277 278 <p class="indent"> 279 We don't want to open up the directory to others; only 280 the owner user may be able to alter this directories 281 contents. 282 </p> 283 </li> 284 285 <li> 286 <strong>Does the target CGI/SSI program exist?</strong> 287 288 <p class="indent"> 289 If it doesn't exists, it can't very well be executed. 290 </p> 291 </li> 292 293 <li> 294 <strong>Is the target CGI/SSI program <em>NOT</em> writable 295 by anyone else?</strong> 296 297 <p class="indent"> 298 We don't want to give anyone other than the owner the 299 ability to change the CGI/SSI program. 300 </p> 301 </li> 302 303 <li> 304 <strong>Is the target CGI/SSI program <em>NOT</em> setuid or 305 setgid?</strong> 306 307 <p class="indent"> 308 We do not want to execute programs that will then change 309 our UID/GID again. 310 </p> 311 </li> 312 313 <li> 314 <strong>Is the target user/group the same as the program's 315 user/group?</strong> 316 317 <p class="indent"> 318 Is the user the owner of the file? 319 </p> 320 </li> 321 322 <li> 323 <strong>Can we successfully clean the process environment 324 to ensure safe operations?</strong> 325 326 <p class="indent"> 327 suEXEC cleans the process' environment by establishing a 328 safe execution PATH (defined during configuration), as 329 well as only passing through those variables whose names 330 are listed in the safe environment list (also created 331 during configuration). 332 </p> 333 </li> 334 335 <li> 336 <strong>Can we successfully become the target CGI/SSI program 337 and execute?</strong> 338 339 <p class="indent"> 340 Here is where suEXEC ends and the target CGI/SSI program begins. 341 </p> 342 </li> 343 </ol> 344 345 <p>This is the standard operation of the 346 suEXEC wrapper's security model. It is somewhat stringent and 347 can impose new limitations and guidelines for CGI/SSI design, 348 but it was developed carefully step-by-step with security in 349 mind.</p> 350 351 <p>For more information as to how this security 352 model can limit your possibilities in regards to server 353 configuration, as well as what security risks can be avoided 354 with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this 355 document.</p> 356</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 357<div class="section"> 358<h2><a name="install" id="install">Configuring & Installing 359 suEXEC</a></h2> 360 361 <p>Here's where we begin the fun.</p> 362 363 <p><strong>suEXEC configuration 364 options</strong><br /> 365 </p> 366 367 <dl> 368 <dt><code>--enable-suexec</code></dt> 369 370 <dd>This option enables the suEXEC feature which is never 371 installed or activated by default. At least one 372 <code>--with-suexec-xxxxx</code> option has to be provided 373 together with the <code>--enable-suexec</code> option to let 374 APACI accept your request for using the suEXEC feature.</dd> 375 376 <dt><code>--with-suexec-bin=<em>PATH</em></code></dt> 377 378 <dd>The path to the <code>suexec</code> binary must be hard-coded 379 in the server for security reasons. Use this option to override 380 the default path. <em>e.g.</em> 381 <code>--with-suexec-bin=/usr/sbin/suexec</code></dd> 382 383 <dt><code>--with-suexec-caller=<em>UID</em></code></dt> 384 385 <dd>The <a href="mod/mpm_common.html#user">username</a> under which 386 Apache normally runs. This is the only user allowed to 387 execute this program.</dd> 388 389 <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt> 390 391 <dd>Define to be the subdirectory under users' home 392 directories where suEXEC access should be allowed. All 393 executables under this directory will be executable by suEXEC 394 as the user so they should be "safe" programs. If you are 395 using a "simple" <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> 396 directive (ie. one without a "*" in it) this should be set to the same 397 value. suEXEC will not work properly in cases where the <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> directive points to 398 a location that is not the same as the user's home directory 399 as referenced in the <code>passwd</code> file. Default value is 400 "<code>public_html</code>".<br /> 401 If you have virtual hosts with a different <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> for each, 402 you will need to define them to all reside in one parent 403 directory; then name that parent directory here. <strong>If 404 this is not defined properly, "~userdir" cgi requests will 405 not work!</strong></dd> 406 407 <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt> 408 409 <dd>Define as the DocumentRoot set for Apache. This will be 410 the only hierarchy (aside from <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The 411 default directory is the <code>--datadir</code> value with the suffix 412 "<code>/htdocs</code>", <em>e.g.</em> if you configure with 413 "<code>--datadir=/home/apache</code>" the directory 414 "<code>/home/apache/htdocs</code>" is used as document root for the 415 suEXEC wrapper.</dd> 416 417 <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt> 418 419 <dd>Define this as the lowest UID allowed to be a target user 420 for suEXEC. For most systems, 500 or 100 is common. Default 421 value is 100.</dd> 422 423 <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt> 424 425 <dd>Define this as the lowest GID allowed to be a target 426 group for suEXEC. For most systems, 100 is common and 427 therefore used as default value.</dd> 428 429 <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt> 430 431 <dd>This defines the filename to which all suEXEC 432 transactions and errors are logged (useful for auditing and 433 debugging purposes). By default the logfile is named 434 "<code>suexec_log</code>" and located in your standard logfile 435 directory (<code>--logfiledir</code>).</dd> 436 437 <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt> 438 439 <dd>Define a safe PATH environment to pass to CGI 440 executables. Default value is 441 "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd> 442 </dl> 443 444 <h3>Compiling and installing the suEXEC wrapper</h3> 445 446 447 <p>If you have enabled the suEXEC feature with the 448 <code>--enable-suexec</code> option the <code>suexec</code> binary 449 (together with Apache itself) is automatically built if you execute 450 the <code>make</code> command.</p> 451 452 <p>After all components have been built you can execute the 453 command <code>make install</code> to install them. The binary image 454 <code>suexec</code> is installed in the directory defined by the 455 <code>--sbindir</code> option. The default location is 456 "/usr/local/apache2/bin/suexec".</p> 457 458 <p>Please note that you need <strong><em>root 459 privileges</em></strong> for the installation step. In order 460 for the wrapper to set the user ID, it must be installed as 461 owner <code><em>root</em></code> and must have the setuserid 462 execution bit set for file modes.</p> 463 464 465 <h3>Setting paranoid permissions</h3> 466 467 468 <p>Although the suEXEC wrapper will check to ensure that its 469 caller is the correct user as specified with the 470 <code>--with-suexec-caller</code> <code class="program"><a href="/programs/configure.html">configure</a></code> 471 option, there is 472 always the possibility that a system or library call suEXEC uses 473 before this check may be exploitable on your system. To counter 474 this, and because it is best-practise in general, you should use 475 filesystem permissions to ensure that only the group Apache 476 runs as may execute suEXEC.</p> 477 478 <p>If for example, your web server is configured to run as:</p> 479 480 <div class="example"><p><code> 481 User www<br /> 482 Group webgroup<br /> 483 </code></p></div> 484 485 <p>and <code class="program"><a href="/programs/suexec.html">suexec</a></code> is installed at 486 "/usr/local/apache2/bin/suexec", you should run:</p> 487 488 <div class="example"><p><code> 489 chgrp webgroup /usr/local/apache2/bin/suexec<br /> 490 chmod 4750 /usr/local/apache2/bin/suexec<br /> 491 </code></p></div> 492 493 <p>This will ensure that only the group Apache runs as can even 494 execute the suEXEC wrapper.</p> 495 496</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 497<div class="section"> 498<h2><a name="enable" id="enable">Enabling & Disabling 499 suEXEC</a></h2> 500 501 <p>Upon startup of Apache, it looks for the file 502 <code class="program"><a href="/programs/suexec.html">suexec</a></code> in the directory defined by the 503 <code>--sbindir</code> option (default is 504 "/usr/local/apache/sbin/suexec"). If Apache finds a properly 505 configured suEXEC wrapper, it will print the following message 506 to the error log:</p> 507 508<div class="example"><p><code> 509 [notice] suEXEC mechanism enabled (wrapper: <var>/path/to/suexec</var>) 510</code></p></div> 511 512 <p>If you don't see this message at server startup, the server is 513 most likely not finding the wrapper program where it expects 514 it, or the executable is not installed <em>setuid root</em>.</p> 515 516 <p>If you want to enable the suEXEC mechanism for the first time 517 and an Apache server is already running you must kill and 518 restart Apache. Restarting it with a simple HUP or USR1 signal 519 will not be enough. </p> 520 <p>If you want to disable suEXEC you should kill and restart 521 Apache after you have removed the <code class="program"><a href="/programs/suexec.html">suexec</a></code> file.</p> 522</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 523<div class="section"> 524<h2><a name="usage" id="usage">Using suEXEC</a></h2> 525 526 <p>Requests for CGI programs will call the suEXEC wrapper only if 527 they are for a virtual host containing a <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if 528 they are processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code>.</p> 529 530 <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC 531 wrapper is through the <code class="directive"><a href="/mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in 532 <code class="directive"><a href="/mod/core.html#virtualhost">VirtualHost</a></code> definitions. By 533 setting this directive to values different from the main server 534 user ID, all requests for CGI resources will be executed as the 535 <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code>. If this 536 directive is not specified for a <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code> then the main server userid 537 is assumed.</p> 538 539 <p><strong>User directories:</strong><br /> Requests that are 540 processed by <code class="module"><a href="/mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC 541 wrapper to execute CGI programs under the userid of the requested 542 user directory. The only requirement needed for this feature to 543 work is for CGI execution to be enabled for the user and that the 544 script must meet the scrutiny of the <a href="#model">security 545 checks</a> above. See also the 546 <code>--with-suexec-userdir</code> <a href="#install">compile 547 time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 548<div class="section"> 549<h2><a name="debug" id="debug">Debugging suEXEC</a></h2> 550 551 <p>The suEXEC wrapper will write log information 552 to the file defined with the <code>--with-suexec-logfile</code> 553 option as indicated above. If you feel you have configured and 554 installed the wrapper properly, have a look at this log and the 555 error_log for the server to see where you may have gone astray.</p> 556 557</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 558<div class="section"> 559<h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock: 560 Warnings & Examples</a></h2> 561 562 <p><strong>NOTE!</strong> This section may not be 563 complete. For the latest revision of this section of the 564 documentation, see the Apache Group's <a href="http://httpd.apache.org/docs/2.2/suexec.html">Online 565 Documentation</a> version.</p> 566 567 <p>There are a few points of interest regarding 568 the wrapper that can cause limitations on server setup. Please 569 review these before submitting any "bugs" regarding suEXEC.</p> 570 571 <ul> 572 <li><strong>suEXEC Points Of Interest</strong></li> 573 574 <li> 575 Hierarchy limitations 576 577 <p class="indent"> 578 For security and efficiency reasons, all suEXEC requests 579 must remain within either a top-level document root for 580 virtual host requests, or one top-level personal document 581 root for userdir requests. For example, if you have four 582 VirtualHosts configured, you would need to structure all 583 of your VHosts' document roots off of one main Apache 584 document hierarchy to take advantage of suEXEC for 585 VirtualHosts. (Example forthcoming.) 586 </p> 587 </li> 588 589 <li> 590 suEXEC's PATH environment variable 591 592 <p class="indent"> 593 This can be a dangerous thing to change. Make certain 594 every path you include in this define is a 595 <strong>trusted</strong> directory. You don't want to 596 open people up to having someone from across the world 597 running a trojan horse on them. 598 </p> 599 </li> 600 601 <li> 602 Altering the suEXEC code 603 604 <p class="indent"> 605 Again, this can cause <strong>Big Trouble</strong> if you 606 try this without knowing what you are doing. Stay away 607 from it if at all possible. 608 </p> 609 </li> 610 </ul> 611 612</div></div> 613<div class="bottomlang"> 614<p><span>Available Languages: </span><a href="/en/suexec.html" title="English"> en </a> | 615<a href="/fr/suexec.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> | 616<a href="/ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | 617<a href="/ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | 618<a href="/tr/suexec.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p> 619</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 620<script type="text/javascript"><!--//--><![CDATA[//><!-- 621var comments_shortname = 'httpd'; 622var comments_identifier = 'http://httpd.apache.org/docs/2.2/suexec.html'; 623(function(w, d) { 624 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 625 d.write('<div id="comments_thread"><\/div>'); 626 var s = d.createElement('script'); 627 s.type = 'text/javascript'; 628 s.async = true; 629 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 630 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 631 } 632 else { 633 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 634 } 635})(window, document); 636//--><!]]></script></div><div id="footer"> 637<p class="apache">Copyright 2013 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 638<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 639if (typeof(prettyPrint) !== 'undefined') { 640 prettyPrint(); 641} 642//--><!]]></script> 643</body></html>
