suexec and cgi-sys scripts

[Brian Farkas]

Hi All,
For some reason, all the cgi-sys scripts on one of our servers stopped working today (internal server error / premature end of script headers), and it's got me stumped as to why...

/var/log/httpd/suexec_log shows:
error: target uid/gid (32003/32003) mismatch with directory (0/10) or prog
ram (0/0) or trusted user (0/10)


All permissions and ownership appears to be correct, and I've tried updating cpanel to see if that would fix the issue... Turning suexec off DOES fix the issue, and the scripts work fine when accessing through https. But we had suexec turned on before, and it only started acting up today. Any help you can provide is greatly appreciated.

 

[adept2003]

Check your httpd.conf file for the User and Group directives inside the <VirtualHost> containers

 

[Brian Farkas]

Sorry, forgot to mention that... httpd.conf entries do have user/group entries... See below:

<VirtualHost IP>
ServerAlias www.DOMAIN.com DOMAIN.com
ServerAdmin [email protected]
DocumentRoot /home/USER/public_html
BytesLog domlogs/DOMAIN.com-bytes_log
User USER
Group USER
<IfModule mod_userdir.c>
UserDir disabled
UserDir enabled USER
</IfModule>
<IfModule mod_php4.c>
php_admin_value open_basedir "/home/USER/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
ServerName www.USER.com
CustomLog domlogs/USER.com combined
ScriptAlias /cgi-bin/ /home/USER/public_html/cgi-bin/
</VirtualHost>

 

[adept2003]

Sorry if I'm teaching gurus to suck eggs, but try working your way down the list below:

Requirements For suexec Operation

1. suexec must be invoked with the correct number of arguments. If it isn't, it assumes someone is trying to penetrate your system by running it outside the Apache environment.
2. The username/UID invoking suexec must be a valid user; that is, it must be listed in the /etc/passwd file. If it isn't, something's not quite right -- and when in doubt, punt.
3. The username executing the wrapper must be the one that was compiled into it when it was built. Again, a mismatch here is interpreted as someone trying to use suexec in other than the prescribed way.
4. The requested script must be a valid Web-space reference relative to the user's directory or the DocumentRoot; it cannot be an absolute filesystem path (i.e., it cannot start with a "/") and cannot include any up-level references (i.e., no "../" references either).
5. The username and group under which the script is to be run must be valid, cannot be 'root', and must be above the minimum UID and GID values (set with the --suexecuidmin and --suexec-gidmin options to the configure script, which both default to 100). In addition, the group must be a valid name, and not just a numeric GID.
6. The wrapper must be able to change its idenity to the requested username and group.
7. The script (and obviously the directory in which it lives) must actually exist and the wrapper must be able to chdir() to the directory.
8. If the script isn't from a ~username request, the script directory must be under the directory specified by DOC_ROOT (defined by the --suexec-docroot option to configure).
9. The permissions on the specified script and its parent directory must not allow write access to either the group or the other categories.
10. The script file cannot be setuid or setgid.
11. The script and the directory must be owned by the user and group as which it is to be executed.
12. The script must be executable by the user.
13. suexec must be able to allocate memory in which to reproduce the environment variable list.

 

[Brian Farkas]

Hmm... looks like the problem actually ended up going away by itself... very strange, but thank you for your replies.

 

[rustelekom]

We have same problem on one of server (Centos 3.5).
Patch installed and work correct. Cgi-sys and perl scripts inside have correct rights and ownership.
With enables suexec any cgi-sys folder scripts not work with erorr "mismatch with directory (0/10) or program (0/10) error."
With disabled suexec all work correct. This is show that problem consist in some of cpanel buildapache scripts which should be exclude checking uid/gid for special folder (like a cgi-sys).
We have same problem around month ago on other server and it was solved by recompiling apache.
On this server apache recompiling do not help us and we haven't any error message as well.
Cpanel is latest Current build (66) .
I will be glad hear any comment from Cpanel developer.

BTW. On this server we also had problem with httpd.conf chmoded to 600, but it is corrected manually. And yes, we haven't use Edge at all, but upgrade Cpanel from Stable to Current.