0

I'm trying to set up a virtualhost that uses CGI scripts that run as a particular user and group. I'm using the SuexecUserGroup directive, but that doesn't seem to work.

Basic setup. User "Bob" has some CGI scripts that work correctly in his cgi-bin directory. So for this URL:

http://myhost.com/~bob/cgi-bin/whoami.cgi

where the whoami.cgi script prints the uid, that URL works correctly and report's Bob's UID.

Bob got a domain name, bobhost.org, which my server is hosting. I set up a virtualhost like this:

<VirtualHost *:80>
    ServerName bobhost.org
    DocumentRoot /home/bob/public_html

    ScriptLog logs/bob_script_log
    TransferLog logs/bob_access_log
    ErrorLog logs/bob_error_log
    LogLevel warn suexec:debug

    SuexecUserGroup bob bob
    ScriptAlias /cgi-bin/ "/home/bob/public_html/cgi-bin/"
    <Directory "/home/bob/public_html/">
        Require all granted
        Options +ExecCGI
        AddHandler cgi-script .cgi
    </Directory>
</VirtualHost>

The following url fails:

http://bobhost.org/cgi-bin/whoami.cgi

even though the whoami.cgi script is exactly the same file. The error logfile says:

[timestamp] [cgi:error] [pid] [client] End of script output before headers: whoami.cgi

There's nothing in the ScriptLog (does that directive even work?) or anyplace else that I can see.

I eventually got it to work by (1) removing the SuexecUserGroup line and (2) changing the uid:gid of all the files to apache:apache.

While I'm glad I got it to work, I feel uncomfortable with the solution. Can the SuexecUserGroup directive can be made to work with virtualhosts?

Scott Anderson
  • 1
  • 1
  • The [`SuexecUserGroup`](https://httpd.apache.org/docs/current/mod/mod_suexec.html#suexecusergroup) supports usage in a VirtualHost container but as the manual explains the suexec is quite strict in the security requirements and there are several caveats before it it will work as intended https://httpd.apache.org/docs/current/suexec.html – HBruijn Mar 24 '23 at 07:48
  • @HBruin; thanks. I went through that list and I think I've satisfied all those requirements. Is there a way to determine what requirement, if any, I have not satisfied? Back in the old days, I remember seeing messages about "script uid doesn't match folder uid" or "incorrect permissions" in the suexec_log, but that file doesn't exist anymore. – Scott Anderson Mar 24 '23 at 17:13

1 Answers1

0

Thanks to HBruijn, I got this to work. First, I found the key error message in /var/log/secure, namely,

Timestamp host suexec[24393]: command not in docroot (/home/bob/public_html/cgi-bin/whoami.cgi

That let to this SO post: https://stackoverflow.com/questions/19004550/apache-suexec-command-not-in-docroot and this https://wincent.com/wiki/Troubleshooting_suexec_errors

I moved the .cgi file under /var/www/ and that did the trick.

Scott Anderson
  • 1
  • 1