suexec policy violation

17 posts / 0 new
Last post
#1 Wed, 05/02/2012 - 04:34
DoubleSpeed

suexec policy violation

We've just taken ove the hosting of a site which uses a cgi script to search the html based site (reads the html and creates a search index) it works fine on the old server however now when we try and run the search in the logs we get:

suexec policy violation: see suexec log for more details

Looking at the suexec log

[2012-05-02 09:19:29]: uid: (519/username) gid: (508/508) cmd: search.pl [2012-05-02 09:19:29]: command not in docroot (/www/vhtdocs/username/cgi-bin/search.pl)

Can anyone help wiht this issue?

Wed, 05/02/2012 - 09:38
andreychek

Howdy,

It sounds like it's trying to execute a script that exists in /www.

However, suexec is setup to only allow commands to run that are within /home.

My recommendation would be to create a Virtual Server for this website -- and then to setup the code for this particular site to reside within that Virtual Server... that would be in /home/USER/.

You may have to tweak a few paths in your script, but once you do that, you should be good to go!

-Eric

Wed, 05/02/2012 - 09:54
DoubleSpeed

Uumm no We have the virtual server chreated and we have the cgi script in the cgi-bin which is above public_html in the home directory?

Wed, 05/02/2012 - 10:08
andreychek

Hmm, well, check out the path mentioned in the error message there:

/www/vhtdocs/username/cgi-bin/search.pl

And the error you're getting is this:

command not in docroot

That's saying that suexec thinks you're trying to execute a script outside of /home... so if the script is in the correct location, it's possible that a path is set correctly somewhere within your website.

-Eric

Wed, 05/02/2012 - 10:19
DoubleSpeed

Currently we have...

The folder structure like this..

/www/vhtdocs/username

/www/vhtdocs/username/cgi-bin

/www/vhtdocs/username/public_html

On the original server where the script worked the cgi-bin was inside the site root folder like this

/www/vhtdocs/username/public_html/cgi-bin

Do you think I need to recreate this in order for it to work?

Wed, 05/02/2012 - 12:24
andreychek

Howdy,

Well, that's what I was suggesting in my initial comment above... the folder structure you have there won't work.

The suexec binary is setup to only be able to execute programs in /home -- so if you're trying to use /www instead, that'll cause some trouble :-)

If you're using Ubuntu or Debian, there may be a way to tweak that -- but otherwise, you'd have to manually recompile Apache to get that structure to work.

Unless you're using Debian or Ubuntu, my suggestion would be to go with the Virtualmin default of having the home dirs and DocumentRoot within /home... that would resolve the errors you're seeing there.

-Eric

Wed, 05/02/2012 - 13:10
DoubleSpeed

Sorry about this still having issues, I've moved the cgi-bin inside the site root now and it still will not run so I've uploaded a 'helper.cgi' script which should just print out an overview of the server configuration doc roots stuff like that chmod it it to 755 and this won't run either.

Getting a similar error message...

[2012-05-02 17:57:09]: uid: (519/username) gid: (508/508) cmd: helper.cgi [2012-05-02 17:57:09]: command not in docroot (/www/vhtdocs/username/public_html/cgi-bin/helper.cgi)

One other thing which may or may not be related is that Webmin says I have an perl update to V 5.8.8-38.el5 however I've tried to install this a few times and it fails each time?

Wed, 05/02/2012 - 14:09
andreychek

Hmm, well, what I'm seeing is that the full path to helper.cgi is this:

/www/vhtdocs/username/public_html/cgi-bin/helper.cgi

Does that sound correct?

If it is, that's the problem -- that's not within "/home".

Suexec will only run programs that are somewhere within /home... by default on a Virtualmin system, that would be something like this:

/home/USER/cgi-bin/helper.cgi

So long as they're outside of /home (such as in /www), suexec will throw an error like you're seeing.

-Eric

Wed, 05/02/2012 - 14:39
DoubleSpeed

OK I see what you are saying howeverin Virtualmin I changed the home directory for this (and other) domains to be /www/vhtdocs/username/ is this not OK everything else works fine for other domains, this is the first time I've tried to use cgi though. Can I change the home for cgi to run in my preferred 'home' location for users?

Wed, 05/02/2012 - 15:17
andreychek

What Linux distro are you using?

-Eric

Wed, 05/02/2012 - 15:21
DoubleSpeed

Centos 5.8

Wed, 05/02/2012 - 16:11
andreychek

With CentOS -- suexec is hard coded to only work with /home.

The likely reason it's working for you now for some sites is probably that you're using mod_php for running PHP apps (or just using static HTML pages or other non-CGI stuffs), which doesn't utilize suexec.

However, if you want to be able to use CGI scripts on CentOS, you'd either need to place them in /home, or you'd need to recompile Apache and tell it to use a different path for suexec.

-Eric

Thu, 05/03/2012 - 09:37
DoubleSpeed

OK still having an issue, what I've done is set-up a 'test' virtual host with it's root in /home like this...

/home/username/cgi-bin/ and /home/username/public_html

I've placed my little 'helper.cgi' script in the cgi-bin chmod it to 755 and called it via the domain/cgi-bin and I get a 500 error the log shows...

[Thu May 03 14:22:02 2012] [error] [client 188.92.238.166] suexec policy violation: see suexec log for more details

[Thu May 03 14:22:02 2012] [error] [client 188.92.238.166] Premature end of script headers: helper.cgi

suexec log shows...

[2012-05-03 14:22:02]: uid: (520/cgi) gid: (509/509) cmd: helper.cgi [2012-05-03 14:22:02]: target uid/gid (520/509) mismatch with directory (520/509) or program (0/0)

Thu, 05/03/2012 - 10:29
andreychek

Howdy,

It looks like you're getting closer!

The suexec program is saying that the owner of the .cgi script, and the owner of the directory, don't match.

They should all be owned by the Virtual Server owner -- where it sounds like one of them may be owned as root.

-Eric

Thu, 05/03/2012 - 15:14
DoubleSpeed

Hi Eric, are are correct I had uploaded it as root however I've deleted and re-uploaded as the user and I'm getting a different error message now...

[2012-05-03 20:04:10]: uid: (520/username) gid: (509/509) cmd: helper.cgi

Sorry to be some dumb on this not used to perl stuff

Thu, 05/03/2012 - 16:14
andreychek

Howdy,

That's actually the correct notice that you'd see in the suexec log -- I think you've got that part fixed!

If you're still seeing an error, you'd want to look in your Apache logs, in $HOME/logs/error_log, to see what error it's outputting in there.

-Eric

Thu, 05/03/2012 - 16:38
DoubleSpeed

OK cool I've got the test script running now thank you, will try and move the actual website and search script now.

Topic locked