You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by John Wilcox <ra...@yahoo.com> on 2003/10/05 20:38:24 UTC

[users@httpd] User/Group specification in virtual host not working with suEXEC

I've been searching through the mailing list archives
for answers to my problem, but was unable to find any
solution, as it seems that I'm doing everything
correctly, yet still running into trouble, so I'm
sorry if this has been asked before.

Anyway, I'm running Apache/1.3.20 (Unix) on a Debian
box with 2.2.19 kernel, and I'm trying to get suEXEC
to work within my virtualhost directive.  When I run
httpd -l, I get: 

suexec: enabled; valid wrapper
/usr/local/apache/bin/suexec 

So it looks like suexec is working, and I've even
tested it with the following .cgi:

#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Username="`whoami`

now, when I put this file (called showuser.cgi) into a
user directory, and point my web browser there (ie
http://www.domain.com/~user/showuser.cgi), I get
'Username=<user>' where <user> is the name of the user
whose directory I'm in, which means that suexec is
functioning properly.

Now, if I put this same file into one of my
virtualhost directories, I get the following output:

Username=nobody

Which I guess is expected, since in my httpd.conf
file, I have a global "User nobody" and "Group
nogroup" directive.

So I tried adding a "User john" and "Group john"
directive inside my VirtualHost listing, to override
the default user/group of nobody/nogroup, but when I
point my browser to the virtual host, as in
http://test.domain.com/showuser.cgi, I get a "500
Internal Server Error" with the corresponding message
in my log file: "[Sun Oct  5 14:32:42 2003] [error]
[client 192.168.0.2] Premature end of script headers:
/home/test/showuser.cgi"

My VirtualHost directive is as shown below:

<VirtualHost *>
        <Directory /home/test>
            Options ExecCGI
        </Directory>
        AddHandler cgi-script .cgi
        ServerAdmin john@domain.com
        ServerName test.domain.com
        User john
        Group john
        DocumentRoot /home/test
        ErrorLog logs/test.domain.com-error_log
        TransferLog logs/test.domain.com-access_log
</VirtualHost>

Now if I remove the above "User john" and "Group john"
lines, I can actually run the .cgi script, but it of
course runs as user nobody.  If I add the lines, I get
the "500 Internal Server Error".  

As far as I can tell, it's been set up correctly, but
if anyone has any suggestions of what I may be doing
wrong, please let me know, as this is driving me
absolutely crazy!  Thanks,

John Wilcox

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] User/Group specification in virtual host not working with suEXEC

Posted by John Wilcox <ra...@yahoo.com>.

Thanks Joshua for the quick response, that did the
trick!  I didn't realize suexec had it's own log file
(which was conveniently located in
/usr/local/apache/logs - I guess I should've looked
there first).  Sure enough, it was a problem with
docroot, since /home/test wasn't in
/usr/local/apache/htdocs.  I moved it over there and
it works perfectly now.  Thanks once again,

John


--- Joshua Slive <jo...@slive.ca> wrote:
> 
> On Sun, 5 Oct 2003, John Wilcox wrote:
> > So I tried adding a "User john" and "Group john"
> > directive inside my VirtualHost listing, to
> override
> > the default user/group of nobody/nogroup, but when
> I
> > point my browser to the virtual host, as in
> > http://test.domain.com/showuser.cgi, I get a "500
> > Internal Server Error" with the corresponding
> message
> > in my log file: "[Sun Oct  5 14:32:42 2003]
> [error]
> > [client 192.168.0.2] Premature end of script
> headers:
> > /home/test/showuser.cgi"
> 
> Now you need to look in the suexec log file to see
> exactly what suexec
> policy you are violating.  Unfortunately, since you
> are using such an old
> version, I can't help you find the suexec log file. 
> In new versions, you
> can ask suexec where the log file is.
> 
> In the worst-case scenario where you can't find the
> log, you have two
> choices: get a new version of apache and properly
> configure the location
> of the suexec log; or go through the suexec docs and
> carefully check each
> policy.  Some likely culprits include having a
> group-writable parent
> directory or not being in the --suexec-docroot
> specified when suexec was
> compiled.
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] User/Group specification in virtual host not working with suEXEC

Posted by Joshua Slive <jo...@slive.ca>.

On Sun, 5 Oct 2003, John Wilcox wrote:
> So I tried adding a "User john" and "Group john"
> directive inside my VirtualHost listing, to override
> the default user/group of nobody/nogroup, but when I
> point my browser to the virtual host, as in
> http://test.domain.com/showuser.cgi, I get a "500
> Internal Server Error" with the corresponding message
> in my log file: "[Sun Oct  5 14:32:42 2003] [error]
> [client 192.168.0.2] Premature end of script headers:
> /home/test/showuser.cgi"

Now you need to look in the suexec log file to see exactly what suexec
policy you are violating.  Unfortunately, since you are using such an old
version, I can't help you find the suexec log file.  In new versions, you
can ask suexec where the log file is.

In the worst-case scenario where you can't find the log, you have two
choices: get a new version of apache and properly configure the location
of the suexec log; or go through the suexec docs and carefully check each
policy.  Some likely culprits include having a group-writable parent
directory or not being in the --suexec-docroot specified when suexec was
compiled.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org