Apache Modules mod fcgid plus mod suexec

From Gentoo Linux Wiki

Jump to: navigation, search

Apache2 Series

Main

Installing Apache 2

Modules

mod_ssl (for encrypted https)
mod_php (PHP Support)
mod_ftpd (FTP Support)
mod_perl (Perl Support)
mod_python (Python Support)
mod_jk (JSP & Servlet Support)
mod_security (intrusion detection)
mod_vhost_alias (Dynamic virtual hosting)
mod_deflate (deflate compression)
mod_fcgid and mod_suexec (Secure execution of external applications that support fastcgi)

Addons & Tunnels

Ruby on Rails

Tips

Using cacert.org SSL certificates with Apache

Configuring

Other

edit

[edit] Introduction

mod_fcgid is a fairly new apache module designed to surpass its quasi-predecessor, mod_fastcgi, in all ways possible. It is designed to maintain binary compatibility to the former, though. As the name already suggests, mod_fastcgi allows for the execution of CGI-scripts whose interpreters expose FastCGI-capabilities, e. g. PHP.

mod_suexec is an Apache module providing the webserver with the ability to change its effective UID and GID while executing dynamic code to generate webpages. In a shared hosting environment, it's possible to have a number of users to be hosted on one instance of Apache (running as a user dedicated to the webserver alone), whilst scripts are run as the actual owner of the script. This greatly simplifies permission management on such setups, and adds to general security of such an installation (as User A cannot interfere with User B's data via the webserver).

[edit] Installation

[edit] mod_suexec

Warning: Not yet finished ;)

[edit] mod_fcgid

At the time of writing of this article, mod_fcgid is yet considered somewhat experimental software, and (at least in Version 2.1) not to be found in the stable branch of Portage. So before we start off adding mod_fcgid to our already present Apache2-environment, we need to add proper keywords for its ebuild. Therefore, we need to execute the follwing command to add a line enforcing this to /etc/portage/package.keywords:

 echo 'www-apache/mod_fcgid ~x86' >> /etc/portage/package.keywords

Note: Please make sure to substitute "x86" in above to match your given architecture.

Now, the package may actually be installed by issuing:

 emerge www-apache/mod_fcgid

[edit] Configuration

After a successful merge, we're supposed to modify our initscript's configuration to actually request Apache to be loaded with mod_fastcgid enabled. To accomplish this, we need to modify /etc/conf.d/apache2 to contain " -D FCGID" in the APACHE2_OPTS-variable. The result might look something like this:

File: /etc/apache2/modules.d/20_mod_fcgid.conf

...
APACHE2_OPTS="-D PHP4 -D SSL -D DOC -D FCGID"
...

This triggers configuration macros initiated by <IfDefine FCGID>, which are used in /etc/apache2/modules.d/20_mod_fcgid.conf, which in turn ships with the fcgid-ebuild. On my exemplary setup, it looks like this:

File: /etc/apache2/modules.d/20_mod_fcgid.conf

<IfDefine FCGID>
        SharememPath /var/run/fcgid_shm
        IPCCommTimeout 45
        DefaultMaxClassProcessCount 3
        IdleTimeout 3600
        SocketPath /tmp
        <IfModule !mod_fcgid.c>
                LoadModule fcgid_module modules/mod_fcgid.so
        </IfModule>
        <IfModule mod_fcgid.c>
                AddHandler fcgid-script .fcg
        </IfModule>
        <Location /fcgid>
                SetHandler fcgid-script
                Options ExecCGI
                allow from all
        </Location>
</IfDefine>

Retrieved from "http://www.gentoo-wiki.com/Apache_Modules_mod_fcgid_plus_mod_suexec"