It took me hours to get FastCGI and Suexec working properly. I’m so annoyed by the horrible docs available for it only.

First I tried using fcgid (which at least is DFSG-free) but wasn’t able to run moinmoin properly at all. So I gave up on that quickly.

So I ended up trying “non-free” libapache2-mod-fastcgi. Oh what a mess. Getting the non-suexec fastcgi working was easy. Now I tried to make it a bit more secure…

The “Documentation” claims that all you need to do is enable the SuExec Wrapper. So I configured a “FastCgiServer”, set -user and -group appropriately, somehow found out that I need to chown the executeable and the dir containing the executeable accordingly, and that the user and group need to be higher than 100 - ok. (Although group www-data would have been okay, I guess). Reloaded apache. And the fastcgi process is started and running with the right userid.

By now I was using a mini test-fastcgi, which prints getuid() - and so I could see that despite my process runing as a different user, it still returned 33 (=www-data). Damn!

The reason I found out later after manually changing URIs to find the right docs etc. was that I need to enable mod_suexec, then add the SuexecUserGroup option to my vhost.

For incoming requests, FastCGI will check for a running fcgi server with the same path and the same user and group ids as the one you defined in the fastcgi config. Otherwise it will start a new dynamic server. And there is no “FastCgiUserGroup” option or something obvious to configure the user and group name for the cgi path - but you need to do that for mod_suexec.

Apache config is a PITA anyway. With its pseudo-XML syntax etc. - we really need to get rid of it sometime…

So here is a short howto for using suexec and mod_fastcgi on apache2:

  • Install apache2 with suexec (should be included) and fastcgi.
  • Name your FastCGI .fcgi, setup +ExecCGI and the fastcgi-script handler
  • Test if your fastcgi runs as www-data user (i.e. non-suexec)
  • Add a “FastCgiServer” statement to the fastcgi.conf with appropriate -user and -group statements, enable FastCgiWrapper
  • chown the CGI and its parent directory to these ids, also consider setting the “immutable” flag on your cgi
  • Enable mod_suexec by calling “a2enmod suexec”
  • In your VHost, add a “SuExecUserGroup appruser apprgroup” statement matching the usernames you gave above.
  • restart apache. You should now see your fcgi process running with the correct userid. Otherwise check suexec.log and apache error log
  • Try to access a web page generated by the fastcgi, and make sure it didn’t start another fastcgi daemon…