Apache suEXEC support for PHP scripts without FastCGI

suEXEC feature provides Apache users the ability to run CGI programs under user IDs different from the web server user ID. Normally, when a CGI program executes, it runs as the same user who is running the web server. In most configurations PHP scripts are handled by mod_php and cannot suEXEC. After switching to php-cgi we are able to use suEXEC.

Configure Apache

First of all install php5-cgi package:

# aptitude install php5-cgi

Now we need to reconfigure Apache. Disable php3/4/5 apache module (you may also purge those packages):

# rm /etc/apache2/mods-enabled/php3.*
# rm /etc/apache2/mods-enabled/php4.*
# rm /etc/apache2/mods-enabled/php5.*

Enable suexec module:

# ln -s /etc/apache2/mods-available/suexec.load /etc/apache2/mods-enabled/suexec.load

Add .php (and .php5, .php4, .php3 if you like) CGI handler and allow execution of CGI script in /etc/apache2/sites-available/default:

AddHandler cgi-script .php

<directory /var/www/>
Options ExecCGI # Add this, to settings you currently have.
</directory>

Finally reload apache:

# invoke-rc.d apache2 reload

Test suEXEC

Create test.php:

#!/usr/bin/php5-cgi
<?php
    system('id -a');
?>

Change test.php permissions (chown script to user and chmod to 0755):

# chown kb:kb test.php
# chmod 0755 test.php

Get page to test suEXEC. Use any http client:

$ curl http://localhost/~kb/test.php

You should got your user id:

uid=1000(kb) gid=1000(kb) groups=100(users)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.