Uses setuid helpers which set the user directly to the user the CGI program will run as instead of switching to root and then back to the target user. The sysadmin can control which users can run CGI scripts by controlling the installed helper binaries. Also reads a pair of text files to determine exactly what CGI scripts are allowed to run for each user. In the apache config dir, create "apache-suid" with: run:/home/* run:/var/www/* CGI programs located in other parts of the filesystem will be blocked. In the user's $HOME directory, create ".apache-suid" with: run:/home/user/www/* Both files must exist and the CGI program to be run must match a "run:" entry in BOTH files or the script will not be run. The module will run the setuid helper at: /usr/lib/apache2/suexecdir/user where "user" is the login name of the user to run as. For example, for my login name "herrin": cp suexec-user /usr/lib/apache2/suexecdir/herrin chown herrin: /usr/lib/apache2/suexecdir/herrin chmod 6511 /usr/lib/apache2/suexecdir/herrin apache-suexecuser for Debian ----------------- build with dpkg-buildpackage <possible notes regarding this package - if none, delete this file> cd c cp generators/mod_cgi.h generators/mod_cgi.c . mv mod_cgisuexecuser.c mod_cgisuexecuser.c.oldversion cp mod_cgi.c mod_cgisuexecuser.c patch -p0 < mod_cgisuexecuser.c.diff -- William Herrin <herrin@dirtside.com> Mon, 07 Jan 2013 11:15:38 -0500