Provided by: gridsite-gsexec_1.7.16-1_amd64 bug

NAME

       gsexec - Switch user before executing external programs

SYNOPSIS

       gsexec [-V]

SUMMARY

       gsexec  is  used  by the Apache HTTP Server to switch to another user before executing CGI
       programs. In order to achieve this, it must run as root.  Since the HTTP  daemon  normally
       doesn't  run  as root, the gsexec executable needs the setuid bit set and must be owned by
       root. It should never be writable for any other person than root.

       gsexec is based on Apache's suexec, and  its  behaviour  is  controlled  with  the  Apache
       configuration  file directives GridSiteExecMethod and GridSiteUserGroup added to Apache by
       mod_gridsite(8) Four  execution  methods  are  supported:  nosetuid,  suexec,  X509DN  and
       directory,  and  these may be set on a per-directory basis within the Apache configuration
       file.

NOSETUID METHOD

       This is the default behaviour, but can  also  be  produced  by  giving  GridSiteExecMethod
       nosetuid

       CGI  programs  will  then  be executed without using gsexec, and will run as the Unix user
       given by the User and Group Apache directives (normally apache.apache on Red  Hat  derived
       systems.)

SUEXEC METHOD

       If  GridSiteExecMethod  suexec  is  given  for  this  virtual  host or directory, then CGI
       programs will be executed using the user and group given  by  the  GridSiteUserGroup  user
       group  directive,  which  may  also  be  set  on  a  per-directory  basis (unlike suexec's
       SuexecUserGroup which is per-server only.) The CGI program must either be owned  by  root,
       the  Apache  user  and group specified at gsexec build-time (normally apache.apache) or by
       the user and group given with the GridSiteUserGroup directive.

X509DN METHOD

       If GridSiteExecMethod X509DN is given, then the CGI program runs as a pool user, detemined
       using  lock  files in the exec mapping directory chosen as build time of gsexec.  The pool
       user is chosen according to the client's full certificate X.509 DN (ie with  any  trailing
       GSI  proxy  name  components stripped off.) Subsequent requests by the same X.509 identity
       will be mapped to the same pool user. The CGI program must either be owned  by  root,  the
       Apache  user  and  group specified at gsexec build-time (normally apache.apache) or by the
       pool user selected.

DIRECTORY METHOD

       If GridSiteExecMethod directory is given, then the CGI program runs as a pool user  chosen
       according  to the directory in which the CGI is located: all CGIs in that directory run as
       the same pool user. The CGI program must either be owned by  root,  the  Apache  user  and
       group  specified  at  gsexec  build-time  (normally  apache.apache)  or  by  the pool user
       selected.

EXECMAPDIR

       The default exec mapping directory is /var/www/execmapdir  and  this  is  fixed  when  the
       gsexec  executable  is built. The exec mapping directory and all of its lock files must be
       owned and only writable by root. To initialise the lock files, create an empty  lock  file
       for each pool user, with the pool username as the filename (eg user0001, user0002, ...) As
       the pool users are leased to X.509 identities or directories, they will become hard linked
       to lock files with the URL-encoded X.509 DN or full directory path.

       You  can  recycle pool users by removing the corresponding URL-encoded hard link.  stat(1)
       and ls(1) with option -i can be used to print the inodes of lock files  to  match  up  the
       hard links.

       However,  you  must ensure that all files and processes owned by the pool user are deleted
       before recycling!

OPTIONS

       -V     If you are root, this option displays the compile options of gsexec.  For  security
              reasons all configuration options are changeable only at compile time.

MORE INFORMATION

       For  further  information about the concepts and the security model of the original Apache
       suexec please refer to the suexec documentation:

       http://httpd.apache.org/docs-2.0/suexec.html

       For examples using the gsexec extensions, please see the GridSite gsexec page:

       http://www.gridsite.org/wiki/Gsexec

AUTHORS

       Apache project, for original suexec

       Andrew McNab <Andrew.McNab@manchester.ac.uk> for gsexec modifications.

       gsexec is part of GridSite: http://www.gridsite.org/

SEE ALSO

       httpd(8), suexec(8), mod_gridsite(8)