Apache 2 + PHP 5 / CGI + SuEXEC

Want a very secure Apache / PHP setup?

SuEXEC allows CGI execution under user own accounts and not webserver one. So, if a security hole is exploited through a script, that’s normally – if your FreeBSD server is correctly chmoded – gives access to resources.

The genuine SuEXEC drawback is you’ve to prefix each, as any other CGI script (remember #!/usr/bin/perl ?). We’ll slightly edit the SuEXEC.c code to avoid that.

SuEXEC will force you to chmod correctly and securely your web content: 700 the scripts, 711 the directories (755 to allow list them). If that’s sounds too paranoid or you’re tired of your users’ complaints, you can ask SuEXEC to ignore permissions check (but what’s the interest of this method in this case? You should consider chroot instead.). If you’re a console guru, I’ve coded an autochmod script to make our life paranoid but easier 😉

Read more