suEXEC feature provides Apache users the ability to run CGI programs under user IDs different from the web server user ID. Normally, when a CGI program executes, it runs as the same user who is running the web server. In most configurations PHP scripts are handled by mod_php and cannot suEXEC. After switching to php-cgi we are able to use suEXEC.
Configure Apache
First of all install php5-cgi package:
# aptitude install php5-cgi
Now we need to reconfigure Apache. Disable php3/4/5 apache module (you may also purge those packages):
# rm /etc/apache2/mods-enabled/php3.* # rm /etc/apache2/mods-enabled/php4.* # rm /etc/apache2/mods-enabled/php5.*
Enable suexec module:
# ln -s /etc/apache2/mods-available/suexec.load /etc/apache2/mods-enabled/suexec.load
Add .php (and .php5, .php4, .php3 if you like) CGI handler and allow execution of CGI script in /etc/apache2/sites-available/default:
<directory /var/www/>
Options ExecCGI # Add this, to settings you currently have.
</directory>
Finally reload apache:
# invoke-rc.d apache2 reload
Test suEXEC
Create test.php:
Change test.php permissions (chown script to user and chmod to 0755):
# chown kb:kb test.php # chmod 0755 test.php
Get page to test suEXEC. Use any http client:
$ curl http://localhost/~kb/test.php
You should got your user id:
uid=1000(kb) gid=1000(kb) groups=100(users)
