Execwrap

Overview

ExecWrap is a super-user exec wrapper for the lighttpd web-server, but it can be used in
any environment as long as arguments can be passed from the server to its children via the
environment.

ExecWrap is released under the BSD license, which may be found in the source file.

(quoted from http://cyanite.org/execwrap/)

spawn-fcgi

While execwrap might sometimes look easier to setup, you really should look into spawn-fcgi if you want to run your FastCGI backends with different users.

Homepage

You can find the upstream source at http://cyanite.org/execwrap/ or clone it with git:
git-clone git://cyanite.org/execwrap
(site has been down for a very long time now)

I work on a branch with pam support (for ulimits): http://cgit.stbuehler.de/gitosis/execwrap/

1
2
3
git-clone git://stbuehler.de/execwrap.git
cd execwrap
git-checkout -b stbuehler origin/stbuehler

Please note that i will sometimes rebase my branch, so you may need to force updates with git-pull -f.

Why?

If your webserver spawns cgi or fastcgi scripts, it will spawn them with its own userid. That means it can only access files readable by your webserver user and new created files will be owned by the webserver user.

And if someone hacks your cgi/fastcgi, he can access all the other files, as the webserver user needs to be able to read them all. (Think of your database passwords in config.php files…)

The solution is to run your scripts with your normal user account – but the webserver cannot just change that, it needs a “suid”-wrapper, a binary which is allowed by root to become root and to switch to the destination user.

But this binary must be careful, or every user could run everything under another userid.

Configuration

The compile and run-time options are explained in the README and on the homepage.

My config

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# /usr/sbin/execwrap -V
ExecWrap v0.5   Copyright (c) 2008, Sune Foldager.
Compile-time configuration:
PARENT_UID         : 33
TARGET_MIN_UID     : 10000
TARGET_MIN_GID     : 10000
TARGET_PATH_PREFIX : /srv/www/
DEFAULT_UID        : 65534
DEFAULT_GID        : 65534

REQUIRE_PWENT      : 0
ALLOW_CHECKGID     : 1
# ls -l /usr/sbin/execwrap
-rwsr-x--- 1 root www-data 8760 2008-07-08 00:13 /usr/sbin/execwrap

(www-data is the user and group name of my webserver, and 33 is its uid (and gid); that should be the default on every debian based system)

You can find this binary as debian package for i386 and amd64 in my debian repository http://debian.stbuehler.de/

Users

I think it is a good idea to have extra “web”-users for this, so you don’t confuse them with your normal accounts; i keep them separated by their uid: all webusers have an uid of at least 10000 and a gid of at least 10000. On my system they often share their primary group.

And i keep their home directories below /srv/www for the execwrap target protection.

1
2
3
mkdir -p /srv/www/users/
addgroup --gid 10000 www-default
adduser --home /srv/www/users/www-default --firstuid 10000 --gid 10000 www-default

Example start scripts

As execwrap checks if the target uid matches the owner of the target script (or the gid matches the group), you cannot have /usr/bin/php5-cgi as target; you need a wrapper script.

/srv/www/fcgi-bin/php5: (See Lighttpd for an example using this wrapper)

1
2
#!/bin/sh
exec /usr/bin/php5-cgi

Generated using nanoc and bootstrap - Last content change: 2011-08-28 09:58