Does SuexecUserGroup work with Virtualhost in Apache 2.4

Scott Anderson

3/23/24, 7:25 PM

I'm trying to set up a virtualhost that uses CGI scripts that run as a particular user and group. I'm using the SuexecUserGroup directive, but that doesn't seem to work.

Basic setup. User "Bob" has some CGI scripts that work correctly in his cgi-bin directory. So for this URL:

http://myhost.com/~bob/cgi-bin/whoami.cgi

where the whoami.cgi script prints the uid, that URL works correctly and report's Bob's UID.

Bob got a domain name, bobhost.org, which my server is hosting. I set up a virtualhost like this:

<VirtualHost *:80>
    ServerName bobhost.org
    DocumentRoot /home/bob/public_html

    ScriptLog logs/bob_script_log
    TransferLog logs/bob_access_log
    ErrorLog logs/bob_error_log
    LogLevel warn suexec:debug

    SuexecUserGroup bob bob
    ScriptAlias /cgi-bin/ "/home/bob/public_html/cgi-bin/"
    <Directory "/home/bob/public_html/">
        Require all granted
        Options +ExecCGI
        AddHandler cgi-script .cgi
    </Directory>
</VirtualHost>

The following url fails:

http://bobhost.org/cgi-bin/whoami.cgi

even though the whoami.cgi script is exactly the same file. The error logfile says:

[timestamp] [cgi:error] [pid] [client] End of script output before headers: whoami.cgi

There's nothing in the ScriptLog (does that directive even work?) or anyplace else that I can see.

I eventually got it to work by (1) removing the SuexecUserGroup line and (2) changing the uid:gid of all the files to apache:apache.

While I'm glad I got it to work, I feel uncomfortable with the solution. Can the SuexecUserGroup directive can be made to work with virtualhosts?

1 + 2

virtualhost

suexec

apache-2.4

HBruijn

3/24/24, 7:48 AM

The [`SuexecUserGroup`](https://httpd.apache.org/docs/current/mod/mod_suexec.html#suexecusergroup) supports usage in a VirtualHost container but as the manual explains the suexec is quite strict in the security requirements and there are several caveats before it it will work as intended https://httpd.apache.org/docs/current/suexec.html

Scott Anderson

3/24/24, 5:13 PM

@HBruin; thanks. I went through that list and I think I've satisfied all those requirements. Is there a way to determine what requirement, if any, I have not satisfied? Back in the old days, I remember seeing messages about "script uid doesn't match folder uid" or "incorrect permissions" in the suexec_log, but that file doesn't exist anymore.

Score:0

Server

Scott Anderson

3/30/24, 12:34 PM

Thanks to HBruijn, I got this to work. First, I found the key error message in /var/log/secure, namely,

Timestamp host suexec[24393]: command not in docroot (/home/bob/public_html/cgi-bin/whoami.cgi

That let to this SO post: https://stackoverflow.com/questions/19004550/apache-suexec-command-not-in-docroot and this https://wincent.com/wiki/Troubleshooting_suexec_errors

I moved the .cgi file under /var/www/ and that did the trick.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does SuexecUserGroup work with Virtualhost in Apache 2.4

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.