Apache Today: Suexec and Apache: A TutorialJul 12, 2000, 16:27 (0 Talkback[s])
(Other stories by Ken Coar)
[ Thanks to Kevin Reichard for this link. ]
"The Apache Web server, like most if not all of the others in common use today, lets you execute arbitrarily complex operations through the use of CGI scripts. These can involve database lookups, system administration functions, real-time control of machinery, online payments, or almost anything else you can think of."
"Ordinarily, all of these things occur in the context of the user running the Apache server itself (typically nobody on Linux systems). This is fine when you're using a system that is owned and used by a single entity...but what if you're an ISP with multiple companies being hosted on your system? Or an educational institution with faculty who want to be able to execute their own scripts? Either everything has to be accessible to the Apache nobody user, or you have to run multiple instances of Apache on multiple ports and IP addresses, one of each per user, with the concomitant confusion of configuration files."
"On the other hand, if the server is to be allowed to change its identity, it needs to be done in a controlled manner, so that the chance of compromising your system's security is kept to a minimum. (Remember, Apache is usually started as root and only changes to nobody later!) The suexec (pronounced 'SUE-ex-Ek') tool helps make this possible. It's found in the src/support/ directory under your Apache source tree."