Flexible Setuid CGI Execution

A common problem with CGIs is that they tend to run as the same user as the webserver itself, which is unadvisable at best and unacceptable in a multi-user situation such as exists on most Math Faculty web servers.

The Apache solution is suexec, which allows CGIs in user public_html to execute as the user. It also allows document root CGIs to run as a different user for each virtual host, subject to some stringent conditions on not using symlinks etc.

The solution installed on some local web servers is something called flexsuexec. This is part of the wwwtools-1 package on capo. Please note that this is not for use in personal home directories. For this, please see the MFCF FAQ at http://www.math.uwaterloo.ca/mfcf/faq/www_author.html#www/scripts_cgi.faq

At the time of writing, the following directives are used on www.cs to enable flexsuexec in the document root:

        Action su-cgi-script /cgi-bin/flexsuexec
        AddHandler su-cgi-script .php
        SetEnvIf Request_URI "\.php$" INTERPRETER_PATH=/xhbin/php
        AddHandler su-cgi-script .php4
        SetEnvIf Request_URI "\.php4$" INTERPRETER_PATH=/xhbin/php4

The Apache Action directive is used to attach flexsuexec to the su-cgi-script handler. Then the following directives indicate that flexsuexec should be used to handle .php files and designate the interpreter program that should be used. So this also solves the problem of PHP programs requiring a #! line at the top.

Requirements for Using Flexsuexec

The following are required in order for a file to be run via Flexsuexec:

• Apache must be configured to handle the file using the su-cgi-script handler. A SetHandler or AddHandler directive in a .htaccess or other Apache configuration file can do this. Commonly encountered language file extensions such as .php should (and may already) be pre-configured in the server configuration. (eg., services108 is preconfigured; but www.student.cs is not).
• The owner of the file is the user the script is meant to run as.
• The parent directory must be owned by the same user.
• The file must be setuid and executable (chmod u+xs). In order to avoid security problems, the file should also have no “other” execute permissions (chmod o-x or just take off all “other” permissions with chmod og-rwx).