Suexec and Apache: A Tutorial Page 7

The typical warning signal of a suexec problem is a request for a CGI script that results in a '500 Internal Server Error' page. The appropriate response behaviour to such an error is to look in the server's error log. Unfortunately, because the wrapper is applying its own restrictions and rules on the script, the server log may be quite unrevealing, containing only a single line such as the following for the failed request:

[Sun Dec 26 20:02:55 1999] [error] [client n.n.n.n] Premature end of script headers: script

The real error message will be found in your suexec log (which is located at /usr/local/web/apache/logs/suexec_log, according to the assumptions section of this article). The suexec error message may look like this:

    [1999-12-26 20:02:55]: uid: (user/user) gid: (group/group) cmd: test.cgi
    [1999-12-26 20:02:55]: command not in docroot (/home/user/public_html/test.cgi

Here are a couple of other common suexec error messages:

  • directory is writable by others: (path)
  • target uid/gid (uid-1/gid-1) mismatch with directory (uid-2/gid-2) or program (uid-3/gid-3)

If it's still not clear what's going wrong, review the list of requirements and make sure they're all being met.

"Danger, Will Robinson!"

When you suexec-enable your Apache Web server, a lot of behaviours change:

  • CGI scripts in ScriptAliased directories will be executed under the identity of the username specified in the User and Group directives
  • CGI scripts in user directories (as specified by the USERDIR_SUFFIX definition, set by the --suexec-userdir option) will be executed as the owning user if and only if
    1. the script was requested using the ~username syntax, and
    2. all of the ownership and permission requirements are met
    If the ~username URL format is used but the permissions/ownerships aren't correct, the result will be a '500 Internal Server Error' page, not the script being executed by the server user as in a non-suexec environment
  • CGI scripts in all user directories accessed through ~username URLs will go through the suexec process--even those that you didn't consider or expect.

One effect of these changes is that previously-functioning user scripts may suddenly begin to fail, giving the visitor the fatal '500 Internal Server Error' page, and giving you, the Webmaster, an unrevealing "Premature end of script headers" message in the server error log. This is where it becomes easy to get frustrated by simply forgetting to check the suexec error log.

Another aspect of the use of suexec is that, if you have virtual hosts with different User or Group values, they cannot share ScriptAliased directories--because one of the requirements is that the script and the directory must be owned by the user and group suexec is being told to use. So you may have to duplicate a lot of your cgi-bin/ stuff into per-vhost directories that are owned and protected appropriately.

Frequently Asked Suexec Questions

This article was originally published on Jul 12, 2000

Thanks for your registration, follow us on our social networks to keep up-to-date