Suexec and Apache: A Tutorial Page 7

The typical warning signal of a suexec problem is a request for a CGI script that results in a '500 Internal Server Error' page. The appropriate response behaviour to such an error is to look in the server's error log. Unfortunately, because the wrapper is applying its own restrictions and rules on the script, the server log may be quite unrevealing, containing only a single line such as the following for the failed request:

[Sun Dec 26 20:02:55 1999] [error] [client n.n.n.n] Premature end of script headers: script

The real error message will be found in your suexec log (which is located at /usr/local/web/apache/logs/suexec_log, according to the assumptions section of this article). The suexec error message may look like this:

    [1999-12-26 20:02:55]: uid: (user/user) gid: (group/group) cmd: test.cgi
    [1999-12-26 20:02:55]: command not in docroot (/home/user/public_html/test.cgi
  



 Here are a couple of other common suexec error messages: 





directory is writable by others: (path)


target uid/gid (uid-1/gid-1) mismatch with directory
(uid-2/gid-2) or program (uid-3/gid-3)



 If it's still not clear what's going wrong, review the list of requirements
and make sure they're all being met.
"Danger, Will Robinson!"


 When you suexec-enable your Apache Web server, a lot of
behaviours change: 





CGI scripts in ScriptAliased directories will be executed
under the identity of the username specified in the User and
Group directives


CGI scripts in user directories (as specified by the
USERDIR_SUFFIX definition, set by the
--suexec-userdir option) will be executed as the owning user if
and only if 



the script was requested using the ~username syntax,
and


all of the ownership and permission requirements are met

If the ~username URL format is used but the
permissions/ownerships aren't correct, the result will be a '500 Internal
Server Error' page, not the script being executed by the server user as
in a non-suexec environment 


CGI scripts in all user directories accessed through
~username URLs will go through the suexec
process--even those that you didn't consider or expect.



 One effect of these changes is that previously-functioning user scripts may
suddenly begin to fail, giving the visitor the fatal '500 Internal Server
Error' page, and giving you, the Webmaster, an unrevealing
"Premature end of script headers" message in the server
error log. This is where it becomes easy to get frustrated by simply forgetting
to check the suexec error log. 


 Another aspect of the use of suexec is that, if you have
virtual hosts with different User or Group values,
they cannot share ScriptAliased directories--because one of the
requirements is that the script and the directory must be owned by the user and
group suexec is being told to use. So you may have to duplicate a
lot of your cgi-bin/ stuff into per-vhost directories that
are owned and protected appropriately. 


Frequently Asked Suexec Questions