Apache的suExec可以通过切换用户来提高一些应用的安全系数

今天配置的时候出现下列错误

“Internal Server Error”

检查日志

(13)Permission denied: exec of ‘/usr/sbin/suexec’ failed

[Mon Mar 02 13:35:55 2009] [error] [client myip] Premature end of script headers: index.cgi

就跑去找官方文档:

A message saying “Internal Server Error”

If you check the Apache error log, you will probably find that it says “Premature end of script headers”, possibly along with an error message generated by your CGI program. In this case, you will want to check each of the below sections to see what might be preventing your CGI program from emitting the proper HTTP headers.

对上号了,接下来就看看suExec了。发现如下说明:

If for example, your web server is configured to run as:

User www

Group webgroup

and suexec is installed at “/usr/local/apache2/bin/suexec”, you should run:

chgrp webgroup /usr/local/apache2/bin/suexec

chmod 4750 /usr/local/apache2/bin/suexec

This will ensure that only the group Apache runs as can even execute the suEXEC wrapper.

按照其意思修改suexec的权限,问题解决。

修改httpd.conf

User www-user

Group www-group

并执行如下命令

chgrp www-group /user/sbin/suexec

chmod 4750 /usr/sbin/suexec

Refer: http://httpd.apache.org/docs/2.2/howto/cgi.html

http://httpd.apache.org/docs/2.2/suexec.html