This is surprisingly a very difficult problem to solve.

I want to allow my Linux users to login to Apache2 and have access to their own directory(ies) only. I've managed to get Linux users to authenticate to Apache2 using PAM and that works great.

However, allowing access to their own directories have proved to be a real challenge.

The way Apache2 runs as a common user prevents individual file permission use as the logged in user runs as the common Apache2 user.

I would prefer not to run Apache2 as root and writing a module that does setuid(logged in user) due to security concerns.

Is there a way to allow an apache2 logged in user to access a specific directory dynamically?

Thank you, Caesar.

  • 111
  • 1

3 Answers3


What it sounds like you're looking for is apache's suexec function. As is states there:

The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC.

You can add a line like

SuexecUserGroup script_user script_user

to your apache configs -- preferably on a per-VirtualHost basis. Then specify directories that are ok to run thing in the suexec config such as /etc/apache2/suexec/www-data. Then restart apache and try it out.

Digital Ocean has a tutorial which may help if you're doing this on Ubuntu.

  • 3,639
  • 10
  • 26
  • 36
  • Would it work for regular files (i.e. non-executables)? That's really what I'm looking for. Or will suexec run as the specified user regardless whether it's an executable or not? I'll try this out! – CaesarS Dec 22 '15 at 22:45
  • I believe this only applies to CGI's that are executed. – chicks Dec 22 '15 at 22:57
  • I'm looking for the standard behavior of Linux filesystem access. 1. Login, 2. Access files according to permissions of the directories and files. – CaesarS Dec 23 '15 at 18:02

This is not really possible with Apache alone; not even mod_dav has this functionality, and it'd be exceptionally useful there.

suEXEC does not setuid to the uid that apache authenticates for (eg, HTTP auth), the target euid is fixed within the server or virtualhost config.

As you mentioned, you need a secure, setuid CGI which drops privileges down to the authenticated-as uid and reads your files and directories for the web application. The CGI would have to run as root and then setgid & setuid as the authenticated user, which I believe is passed to apache CGIs as the REMOTE_USER environment variable. There are many gotchas involved with changing UIDs correctly.

I would recommend using a different protocol that supported this kind of behavior already, like SFTP.

Andrew Domaszek
  • 5,103
  • 1
  • 14
  • 26

To put a closure on this. I found the mpm_itk module which does setuid. However mpm_itk uses a pre-configured user id, or a regex expression. There isn't a way to specify using the authenticated user.

I've been gleaning the mpm_itk code towards writing my own module.

  • 111
  • 1