diff --git a/roles/distgit/files/gitolite-suexec-wrapper.sh b/roles/distgit/files/suexec-gitolite.sh
similarity index 100%
rename from roles/distgit/files/gitolite-suexec-wrapper.sh
rename to roles/distgit/files/suexec-gitolite.sh
diff --git a/roles/distgit/files/suexec-upload.sh b/roles/distgit/files/suexec-upload.sh
new file mode 100644
index 0000000000..11cbc8ea4e
--- /dev/null
+++ b/roles/distgit/files/suexec-upload.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec sudo -E -u apache /var/lib/dist-git/web/upload.cgi
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 2beb3ef38c..cfcdd3af80 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -37,12 +37,16 @@
   tags:
   - distgit
 
-- name: Install suexec wrapper
+- name: Install suexec wrappers
   copy:
-    src=gitolite-suexec-wrapper.sh
-    dest=/var/www/bin/gitolite-suexec-wrapper.sh
+    src=suexec-{{item}}.sh
+    dest=/var/www/bin/suexec-{{item}}.sh
     owner=pagure
     group=packager
+    mode=0755
+  with_items:
+  - gitolite
+  - upload
   tags:
   - distgit
 
diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf
index 716a166d16..bf4583c122 100644
--- a/roles/distgit/templates/lookaside-upload.conf
+++ b/roles/distgit/templates/lookaside-upload.conf
@@ -45,7 +45,7 @@ Alias /robots.txt /var/www/robots-src.txt
 
 <VirtualHost _default_:443>
     # This alias must come before the /repo/ one to avoid being overridden.
-    ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi
+    ScriptAlias /repo/pkgs/upload.cgi /var/www/bin/suexec-upload.sh
 
     Alias /repo/ /srv/cache/lookaside/
     ServerName pkgs{{ env_suffix }}.fedoraproject.org