SuExecWrapper doesn't really enforce file permission checks...

Discussion in 'HOWTO-Related Questions' started by sbrattla, Apr 13, 2010.

  1. sbrattla

    sbrattla New Member

    suEXEC documentation - thougths appreciated!


    I've set up Apache2 with PHP5 + suEXEC as outlined in Everything works fine.

    However, I've run across a curious little thing in the suEXEC documentation which I am a little uncertain as to how i should read. According to the suEXEC documentation (, the suEXEC wrapper should perform 20 different checks in order to determine wether a script should be run or not. Two of these checks are:

    #16. Is the target CGI/SSI program NOT writable by anyone else?
    #18. Is the target user/group the same as the program's user group.

    What I am uncertain about, is wether "CGI/SSI" in #16 is the PHP5 parser itself (or in the case of the HowToForge tutorial - the wrapper script), or the php file itself to be run. Would anyone happen to know that?

    Furthermore, i am uncertain about #18 and what "the program" is? Are we still talking about the "CGI/SSI" program?

    It would be great to hear any thoughts on this!
    Last edited: Apr 14, 2010
  2. sbrattla

    sbrattla New Member extra thought on the posting above.

    An extra comment on the above posting. Would it make sense for the suEXEC wrapper to care about the permissions on the actual script (say 'index.php') at all? After all, isn't the suEXEC wrapper just calling some external program (like the PHP-parser) with one or more arguments - and one of those arguments being the PHP-script to execute?

    If this assumption is correct, would that mean that the only thing suEXEC really cares about is the external program (like the PHP-parser), and not the PHP-script itself (like an 'index.php')? This would in consequence mean that suEXEC does not check permissions or ownerships on the php-scripts, but only on the PHP-parser?
    Last edited: Apr 14, 2010
  3. falko

    falko Super Moderator ISPConfig Developer

    It's the PHP script.

    Again, this is the PHP script. :)
  4. sbrattla

    sbrattla New Member

    suEXEC does not enfore those checks...


    Thank you for your reply. That is a bit strange, because regardless of ownership and permissions on my PHP scripts - suEXEC still executes them. I've verified that suEXEC runs as the user set through the SuexecUserGroup directive.

    Any ideas about what that might be caused by?

Share This Page