The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suexec and cgi-sys scripts

Discussion in 'General Discussion' started by Brian Farkas, Aug 19, 2005.

  1. Brian Farkas

    Brian Farkas Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Hi All,
    For some reason, all the cgi-sys scripts on one of our servers stopped working today (internal server error / premature end of script headers), and it's got me stumped as to why...

    /var/log/httpd/suexec_log shows:
    error: target uid/gid (32003/32003) mismatch with directory (0/10) or prog
    ram (0/0) or trusted user (0/10)


    All permissions and ownership appears to be correct, and I've tried updating cpanel to see if that would fix the issue... Turning suexec off DOES fix the issue, and the scripts work fine when accessing through https. But we had suexec turned on before, and it only started acting up today. Any help you can provide is greatly appreciated.
     
  2. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    Check your httpd.conf file for the User and Group directives inside the <VirtualHost> containers
     
  3. Brian Farkas

    Brian Farkas Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Sorry, forgot to mention that... httpd.conf entries do have user/group entries... See below:

    <VirtualHost IP>
    ServerAlias www.DOMAIN.com DOMAIN.com
    ServerAdmin webmaster@DOMAIN.com
    DocumentRoot /home/USER/public_html
    BytesLog domlogs/DOMAIN.com-bytes_log
    User USER
    Group USER
    <IfModule mod_userdir.c>
    UserDir disabled
    UserDir enabled USER
    </IfModule>
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/USER/:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    ServerName www.USER.com
    CustomLog domlogs/USER.com combined
    ScriptAlias /cgi-bin/ /home/USER/public_html/cgi-bin/
    </VirtualHost>
     
    #3 Brian Farkas, Aug 19, 2005
    Last edited: Aug 19, 2005
  4. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    Sorry if I'm teaching gurus to suck eggs, but try working your way down the list below:

    Requirements For suexec Operation

    1. suexec must be invoked with the correct number of arguments. If it isn't, it assumes someone is trying to penetrate your system by running it outside the Apache environment.
    2. The username/UID invoking suexec must be a valid user; that is, it must be listed in the /etc/passwd file. If it isn't, something's not quite right -- and when in doubt, punt.
    3. The username executing the wrapper must be the one that was compiled into it when it was built. Again, a mismatch here is interpreted as someone trying to use suexec in other than the prescribed way.
    4. The requested script must be a valid Web-space reference relative to the user's directory or the DocumentRoot; it cannot be an absolute filesystem path (i.e., it cannot start with a "/") and cannot include any up-level references (i.e., no "../" references either).
    5. The username and group under which the script is to be run must be valid, cannot be 'root', and must be above the minimum UID and GID values (set with the --suexecuidmin and --suexec-gidmin options to the configure script, which both default to 100). In addition, the group must be a valid name, and not just a numeric GID.
    6. The wrapper must be able to change its idenity to the requested username and group.
    7. The script (and obviously the directory in which it lives) must actually exist and the wrapper must be able to chdir() to the directory.
    8. If the script isn't from a ~username request, the script directory must be under the directory specified by DOC_ROOT (defined by the --suexec-docroot option to configure).
    9. The permissions on the specified script and its parent directory must not allow write access to either the group or the other categories.
    10. The script file cannot be setuid or setgid.
    11. The script and the directory must be owned by the user and group as which it is to be executed.
    12. The script must be executable by the user.
    13. suexec must be able to allocate memory in which to reproduce the environment variable list.
     
  5. Brian Farkas

    Brian Farkas Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Hmm... looks like the problem actually ended up going away by itself... very strange, but thank you for your replies.
     
  6. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    We have same problem on one of server (Centos 3.5).
    Patch installed and work correct. Cgi-sys and perl scripts inside have correct rights and ownership.
    With enables suexec any cgi-sys folder scripts not work with erorr "mismatch with directory (0/10) or program (0/10) error."
    With disabled suexec all work correct. This is show that problem consist in some of cpanel buildapache scripts which should be exclude checking uid/gid for special folder (like a cgi-sys).
    We have same problem around month ago on other server and it was solved by recompiling apache.
    On this server apache recompiling do not help us and we haven't any error message as well.
    Cpanel is latest Current build (66) .
    I will be glad hear any comment from Cpanel developer.

    BTW. On this server we also had problem with httpd.conf chmoded to 600, but it is corrected manually. And yes, we haven't use Edge at all, but upgrade Cpanel from Stable to Current.
     
Loading...

Share This Page