Apache2 + FastCGI + Suexec hell
It took me hours to get FastCGI and Suexec working properly. I’m so annoyed by the horrible docs available for it only.
First I tried using fcgid (which at least is DFSG-free) but wasn’t able to run moinmoin properly at all. So I gave up on that quickly.
So I ended up trying “non-free” libapache2-mod-fastcgi. Oh what a mess. Getting the non-suexec fastcgi working was easy. Now I tried to make it a bit more secure…
The “Documentation” claims that all you need to do is enable the SuExec Wrapper. So I configured a “FastCgiServer”, set -user and -group appropriately, somehow found out that I need to chown the executeable and the dir containing the executeable accordingly, and that the user and group need to be higher than 100 - ok. (Although group www-data would have been okay, I guess). Reloaded apache. And the fastcgi process is started and running with the right userid.
By now I was using a mini test-fastcgi, which prints getuid() - and so I could see that despite my process runing as a different user, it still returned 33 (=www-data). Damn!
The reason I found out later after manually changing URIs to find the right docs etc. was that I need to enable mod_suexec, then add the SuexecUserGroup option to my vhost.
For incoming requests, FastCGI will check for a running fcgi server with the same path and the same user and group ids as the one you defined in the fastcgi config. Otherwise it will start a new dynamic server. And there is no “FastCgiUserGroup” option or something obvious to configure the user and group name for the cgi path - but you need to do that for mod_suexec.
Apache config is a PITA anyway. With its pseudo-XML syntax etc. - we really need to get rid of it sometime…
So here is a short howto for using suexec and mod_fastcgi on apache2:
- Install apache2 with suexec (should be included) and fastcgi.
- Name your FastCGI .fcgi, setup +ExecCGI and the fastcgi-script handler
- Test if your fastcgi runs as www-data user (i.e. non-suexec)
- Add a “FastCgiServer” statement to the fastcgi.conf with appropriate -user and -group statements, enable FastCgiWrapper
- chown the CGI and its parent directory to these ids, also consider setting the “immutable” flag on your cgi
- Enable mod_suexec by calling “a2enmod suexec”
- In your VHost, add a “SuExecUserGroup appruser apprgroup” statement matching the usernames you gave above.
- restart apache. You should now see your fcgi process running with the correct userid. Otherwise check suexec.log and apache error log
- Try to access a web page generated by the fastcgi, and make sure it didn’t start another fastcgi daemon…