The typical warning signal of a suexec
problem is a request
for a CGI script that results in a ‘500 Internal Server Error’ page. The
appropriate response behaviour to such an error is to look in the server’s
error log. Unfortunately, because the wrapper is applying its own restrictions
and rules on the script, the server log may be quite unrevealing, containing
only a single line such as the following for the failed request:
[Sun Dec 26 20:02:55 1999] [error] [client n.n.n.n] Premature
end of script headers: script
The real error message will be found in your suexec
log
(which is located at /usr/local/web/apache/logs/suexec_log
,
according to the assumptions section of this
article). The suexec
error message may look like this:
[1999-12-26 20:02:55]: uid: (user/user) gid: (group/group) cmd: test.cgi [1999-12-26 20:02:55]: command not in docroot (/home/user/public_html/test.cgiHere are a couple of other common
suexec
error messages:
-
directory is writable by others: (path)
-
target uid/gid (uid-1/gid-1) mismatch with directory
(uid-2/gid-2) or program (uid-3/gid-3)
If it’s still not clear what’s going wrong, review the list of requirements
and make sure they’re all being met.
“Danger, Will Robinson!”
When you suexec
-enable your Apache Web server, a lot of
behaviours change:
-
CGI scripts in
ScriptAlias
ed directories will be executed
under the identity of the username specified in theUser
and
Group
directives -
CGI scripts in user directories (as specified by the
USERDIR_SUFFIX
definition, set by the
--suexec-userdir
option) will be executed as the owning user if
and only if-
the script was requested using the
~username
syntax,
and - all of the ownership and permission requirements are met
If the
~username
URL format is used but the
permissions/ownerships aren’t correct, the result will be a ‘500 Internal
Server Error’ page, not the script being executed by the server user as
in a non-suexec
environment -
the script was requested using the
-
CGI scripts in all user directories accessed through
~username
URLs will go through thesuexec
process–even those that you didn’t consider or expect.
One effect of these changes is that previously-functioning user scripts may
suddenly begin to fail, giving the visitor the fatal ‘500 Internal Server
Error’ page, and giving you, the Webmaster, an unrevealing
“Premature end of script headers
” message in the server
error log. This is where it becomes easy to get frustrated by simply forgetting
to check the suexec
error log.
Another aspect of the use of suexec
is that, if you have
virtual hosts with different User
or Group
values,
they cannot share ScriptAlias
ed directories–because one of the
requirements is that the script and the directory must be owned by the user and
group suexec
is being told to use. So you may have to duplicate a
lot of your cgi-bin/
stuff into per-vhost directories that
are owned and protected appropriately.
Frequently Asked Suexec Questions