You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by re...@newsguy.com on 2006/06/07 14:02:03 UTC
[users@httpd] When suexec won't log
Running Gentoo Linux -kernel 2.6.16
Apache/2.0.58
I'm getting the dread 'Premature end of script headers: index.cgi'
and another along with it saying suexec failed due to :
Permission denied: exec of '/usr/sbin/suexec2' failed
I think I've checked all the items needed for suEXEC to work but
apparently I'm missing something vital.
All documentation on the subject suggest to read suexec log for
guidance. I'm not getting any logging from suexec.
Compile time option show it should be loggging at:
-D AP_LOG_EXEC="/var/log/apache2/suexec_log"
But it isn't logging there or anywhere else under /var/log.
I do see the suexec enabled message on apache startup, in its logs.
How can I debug further with no help from suexec2?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: When suexec won't log
Posted by re...@newsguy.com.
"Joshua Slive" <jo...@slive.ca> writes:
>> -rws--x--- 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
>
> Obviously the apache user can't execute that. You need global execute
> permissions.
now -rws--x--x 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
Thanks... and now working.
I searched thru the apache documentation for quite a while prior to
postin, looking for an example of suexec permissions but came up dry.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: When suexec won't log
Posted by Joshua Slive <jo...@slive.ca>.
On 6/7/06, reader@newsguy.com <re...@newsguy.com> wrote:
> "Joshua Slive" <jo...@slive.ca> writes:
>
> > Check the group ownership. If the apache user is in the group that
> > owns suexec, then group execute permissions are enough.
>
> Ahh yes it was set `root apache' but when I do that on my home setup
> then I an execute cgi in public_html as user but as my program tries
> to access other files it fails.
>
> That is:
> -rwx--x--- 1 root apache 10880 May 31 15:09 /usr/sbin/suexec2
>
> I can execute cgi but later on in the running program I get errors
> like this:
>
> Exception 435: unable to open image `image-cache/Sample Album/Orange
> Flower_disp100.jpg': Permission denied at /idsShared.pm line 696.
>
> But with:
> -rwx--x--x 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
>
> It works fine. All that changed is the permission shown above.
>
> Does require an apache restart.
You lost the suid "s" bit somewhere along the way. Without this,
suexec doesn't do anything.
As to your question of whether it is more secure to run with only the
group execute bit, it doesn't make much difference in the case of
suexec because the binary will exit if it isn't called by the specific
user/group registered at compile-time.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: When suexec won't log
Posted by re...@newsguy.com.
"Joshua Slive" <jo...@slive.ca> writes:
> Check the group ownership. If the apache user is in the group that
> owns suexec, then group execute permissions are enough.
Ahh yes it was set `root apache' but when I do that on my home setup
then I an execute cgi in public_html as user but as my program tries
to access other files it fails.
That is:
-rwx--x--- 1 root apache 10880 May 31 15:09 /usr/sbin/suexec2
I can execute cgi but later on in the running program I get errors
like this:
Exception 435: unable to open image `image-cache/Sample Album/Orange
Flower_disp100.jpg': Permission denied at /idsShared.pm line 696.
But with:
-rwx--x--x 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
It works fine. All that changed is the permission shown above.
Does require an apache restart.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: When suexec won't log
Posted by re...@newsguy.com.
"Joshua Slive" <jo...@slive.ca> writes:
> Check the group ownership. If the apache user is in the group that
> owns suexec, then group execute permissions are enough.
>
Ahh yes there it is:
root apache
So if I were to set chown root:apache on /usr/sbin/suexec I could
return it to -rws--x--
Is that more secure or is there another good reason to setup that way?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: When suexec won't log
Posted by Joshua Slive <jo...@slive.ca>.
On 6/7/06, reader@newsguy.com <re...@newsguy.com> wrote:
> "Joshua Slive" <jo...@slive.ca> writes:
>
> >> -rws--x--- 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
> >
> > Obviously the apache user can't execute that. You need global execute
> > permissions.
>
> Setting that to -rws--x--x makes it all work, but isn't there another
> way?
>
> === what follows is not more of my suexec problem... that was solved
> with the permission change (thank you). This is just for discussion ====
>
> Currently I'm experimenting on my home linux machine but my program is
> destined for a linux server where I don't own root.
>
> Checking the permissions on that suexec I see:
>
> -rws--x--- and I'm able to run cgi anywhere in my user
> public_html.
>
> So that server must have something setup differently. I've examined
> its httpd.conf but see no significant difference from mine.
> Not sure what else to look at. It has an /etc/apache2/apache2.conf
> file in there as well, and I didn't see anything that stood out as
> suexec related in it either. I can examine conf files but not
> change them on that server.
>
> Also on gentoo suexec gets installed with -rws--x---
> and suexec is enabled in apache install. But as you've seen it wasn't
> working that way.
Check the group ownership. If the apache user is in the group that
owns suexec, then group execute permissions are enough.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: When suexec won't log
Posted by re...@newsguy.com.
"Joshua Slive" <jo...@slive.ca> writes:
>> -rws--x--- 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
>
> Obviously the apache user can't execute that. You need global execute
> permissions.
Setting that to -rws--x--x makes it all work, but isn't there another
way?
=== what follows is not more of my suexec problem... that was solved
with the permission change (thank you). This is just for discussion ====
Currently I'm experimenting on my home linux machine but my program is
destined for a linux server where I don't own root.
Checking the permissions on that suexec I see:
-rws--x--- and I'm able to run cgi anywhere in my user
public_html.
So that server must have something setup differently. I've examined
its httpd.conf but see no significant difference from mine.
Not sure what else to look at. It has an /etc/apache2/apache2.conf
file in there as well, and I didn't see anything that stood out as
suexec related in it either. I can examine conf files but not
change them on that server.
Also on gentoo suexec gets installed with -rws--x---
and suexec is enabled in apache install. But as you've seen it wasn't
working that way.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: When suexec won't log
Posted by Joshua Slive <jo...@slive.ca>.
On 6/7/06, reader@newsguy.com <re...@newsguy.com> wrote:
> "Joshua Slive" <jo...@slive.ca> writes:
>
> > It is not the logging that is failing but the launch of suexec. What
> > are the permissions on suexec2 and what user is apache being launched
> > as? Are you running SELinux or something similar?
>
> -rws--x--- 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
Obviously the apache user can't execute that. You need global execute
permissions.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: When suexec won't log
Posted by re...@newsguy.com.
"Joshua Slive" <jo...@slive.ca> writes:
> It is not the logging that is failing but the launch of suexec. What
> are the permissions on suexec2 and what user is apache being launched
> as? Are you running SELinux or something similar?
-rws--x--- 1 root root 10880 May 31 15:09 /usr/sbin/suexec2
The call was made like:
http://reader.local.lan/~reader
So user reader is calling it.
Apache runs as user apache
> Some extra info on the config can be obtained from httpd -V and suexec
> -V (run as root).
I get nothing from httpd -V and my system doesn't know about it.
apache2ctl -V
Server version: Apache/2.0.58
Server built: May 31 2006 15:02:30
Server's Module Magic Number: 20020903:12
Server loaded: APR 0.9.12, APR-UTIL 0.9.12
Compiled using: APR 0.9.12, APR-UTIL 0.9.12
Architecture: 32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/usr"
-D SUEXEC_BIN="/usr/sbin/suexec2"
-D DEFAULT_PIDLOG="/var/run/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"
==============================================
# suexec2 -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/apache2/suexec_log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_SUEXEC_UMASK=077
-D AP_UID_MIN=1000
-D AP_USERDIR_SUFFIX="public_html"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] When suexec won't log
Posted by Joshua Slive <jo...@slive.ca>.
On 6/7/06, reader@newsguy.com <re...@newsguy.com> wrote:
> Running Gentoo Linux -kernel 2.6.16
> Apache/2.0.58
>
> I'm getting the dread 'Premature end of script headers: index.cgi'
> and another along with it saying suexec failed due to :
> Permission denied: exec of '/usr/sbin/suexec2' failed
>
> I think I've checked all the items needed for suEXEC to work but
> apparently I'm missing something vital.
>
> All documentation on the subject suggest to read suexec log for
> guidance. I'm not getting any logging from suexec.
>
> Compile time option show it should be loggging at:
> -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
>
> But it isn't logging there or anywhere else under /var/log.
>
> I do see the suexec enabled message on apache startup, in its logs.
>
> How can I debug further with no help from suexec2?
It is not the logging that is failing but the launch of suexec. What
are the permissions on suexec2 and what user is apache being launched
as? Are you running SELinux or something similar?
Some extra info on the config can be obtained from httpd -V and suexec
-V (run as root).
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org