GuidesSuexec and Apache: A Tutorial Page 7

Suexec and Apache: A Tutorial Page 7

The typical warning signal of a suexec problem is a request
for a CGI script that results in a ‘500 Internal Server Error’ page. The
appropriate response behaviour to such an error is to look in the server’s
error log. Unfortunately, because the wrapper is applying its own restrictions
and rules on the script, the server log may be quite unrevealing, containing
only a single line such as the following for the failed request:

[Sun Dec 26 20:02:55 1999] [error] [client n.n.n.n] Premature
end of script headers: script

The real error message will be found in your suexec log
(which is located at /usr/local/web/apache/logs/suexec_log,
according to the assumptions section of this
article). The suexec error message may look like this:

    [1999-12-26 20:02:55]: uid: (user/user) gid: (group/group) cmd: test.cgi
    [1999-12-26 20:02:55]: command not in docroot (/home/user/public_html/test.cgi

Here are a couple of other common suexec error messages:

  • directory is writable by others: (path)
  • target uid/gid (uid-1/gid-1) mismatch with directory
    (uid-2/gid-2) or program (uid-3/gid-3)

If it’s still not clear what’s going wrong, review the list of requirements
and make sure they’re all being met.

“Danger, Will Robinson!”

When you suexec-enable your Apache Web server, a lot of
behaviours change:

  • CGI scripts in ScriptAliased directories will be executed
    under the identity of the username specified in the User and
    Group directives
  • CGI scripts in user directories (as specified by the
    USERDIR_SUFFIX definition, set by the
    --suexec-userdir option) will be executed as the owning user if
    and only if

    1. the script was requested using the ~username syntax,
    2. all of the ownership and permission requirements are met

    If the ~username URL format is used but the
    permissions/ownerships aren’t correct, the result will be a ‘500 Internal
    Server Error’ page, not the script being executed by the server user as
    in a non-suexec environment

  • CGI scripts in all user directories accessed through
    ~username URLs will go through the suexec
    process–even those that you didn’t consider or expect.

One effect of these changes is that previously-functioning user scripts may
suddenly begin to fail, giving the visitor the fatal ‘500 Internal Server
Error’ page, and giving you, the Webmaster, an unrevealing
Premature end of script headers” message in the server
error log. This is where it becomes easy to get frustrated by simply forgetting
to check the suexec error log.

Another aspect of the use of suexec is that, if you have
virtual hosts with different User or Group values,
they cannot share ScriptAliased directories–because one of the
requirements is that the script and the directory must be owned by the user and
group suexec is being told to use. So you may have to duplicate a
lot of your cgi-bin/ stuff into per-vhost directories that
are owned and protected appropriately.

Frequently Asked Suexec Questions

Latest Posts

Related Stories