Suexec and Apache: A Tutorial Page 7

The typical warning signal of a suexec problem is a request
for a CGI script that results in a ‘500 Internal Server Error’ page. The
appropriate response behaviour to such an error is to look in the server’s
error log. Unfortunately, because the wrapper is applying its own restrictions
and rules on the script, the server log may be quite unrevealing, containing
only a single line such as the following for the failed request:

[Sun Dec 26 20:02:55 1999] [error] [client n.n.n.n] Premature
end of script headers: script

The real error message will be found in your suexec log
(which is located at /usr/local/web/apache/logs/suexec_log,
according to the assumptions section of this
article). The suexec error message may look like this:

    [1999-12-26 20:02:55]: uid: (user/user) gid: (group/group) cmd: test.cgi
    [1999-12-26 20:02:55]: command not in docroot (/home/user/public_html/test.cgi
  

 Here are a couple of other common suexec error messages: 


directory is writable by others: (path)

target uid/gid (uid-1/gid-1) mismatch with directory

(uid-2/gid-2) or program (uid-3/gid-3)


 If it’s still not clear what’s going wrong, review the list of requirements

and make sure they’re all being met.
“Danger, Will Robinson!”

 When you suexec-enable your Apache Web server, a lot of

behaviours change: 


CGI scripts in ScriptAliased directories will be executed

under the identity of the username specified in the User and

Group directives

CGI scripts in user directories (as specified by the

USERDIR_SUFFIX definition, set by the

--suexec-userdir option) will be executed as the owning user if

and only if 


the script was requested using the ~username syntax,

and

all of the ownership and permission requirements are met

If the ~username URL format is used but the

permissions/ownerships aren’t correct, the result will be a ‘500 Internal

Server Error’ page, not the script being executed by the server user as

in a non-suexec environment 

CGI scripts in all user directories accessed through

~username URLs will go through the suexec

process–even those that you didn’t consider or expect.


 One effect of these changes is that previously-functioning user scripts may

suddenly begin to fail, giving the visitor the fatal ‘500 Internal Server

Error’ page, and giving you, the Webmaster, an unrevealing

“Premature end of script headers” message in the server

error log. This is where it becomes easy to get frustrated by simply forgetting

to check the suexec error log. 

 Another aspect of the use of suexec is that, if you have

virtual hosts with different User or Group values,

they cannot share ScriptAliased directories–because one of the

requirements is that the script and the directory must be owned by the user and

group suexec is being told to use. So you may have to duplicate a

lot of your cgi-bin/ stuff into per-vhost directories that

are owned and protected appropriately. 

Frequently Asked Suexec Questions