Where is suexec log on Centos 7?

6 posts / 0 new
Last post
#1 Mon, 05/11/2015 - 14:46
sfatula

Where is suexec log on Centos 7?

I note that suexec -V on centos 6 shows an AP_LOG_EXEC configuration, on Centos 7, it does not. I note that on Centos 6, there is a /var/log/httpd/suexec.log file with suexec issues, on Centos 7, there is no such file.

Is this intentional? Where would I find problems with suexec logged? I thought suexec was provided by Virtualmin repository. Curious as we are having what I believe is a USEXEC issue, but, can't find any log.

Mon, 05/11/2015 - 15:07
andreychek

Howdy,

I would have figured it'd be in the same place too.

What is the output of this command:

rpm -qa | grep httpd

Mon, 05/11/2015 - 15:33 (Reply to #2)
sfatula
[root@host8 crm]# rpm -qa | grep httpd
httpd-2.4.6-18.el7.centos.vm.1.x86_64
httpd-tools-2.4.6-18.el7.centos.vm.1.x86_64
[root@host8 crm]#

On Centos 6:

[root@host9 ~]# suexec -V
-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX="public_html"

On Centos 7:

[root@host8 crm]# suexec -V
-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_SYSLOG
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX="public_html"

Not sure it matters, but, you can see your AP_LOG_EXEC is missing in Centos 7. May be intentional, just asking.

Sun, 12/25/2016 - 05:05 (Reply to #3)
Mostafa
Mostafa's picture

yh I have similar question / issue here as well

[root@sv httpd]# rpm -qa | grep httpd httpd-2.4.6-40.el7.centos.4.vm.2.x86_64 httpd-tools-2.4.6-40.el7.centos.4.vm.2.x86_64 [root@sv httpd]# suexec -V -D AP_DOC_ROOT="/home" -D AP_GID_MIN=100 -D AP_HTTPD_USER="apache" -D AP_LOG_SYSLOG -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX="public_html"
Sun, 12/25/2016 - 05:10
Joe
Joe's picture

That change isn't intentional on our part, and it's not a change that we made to the package (even though we do provide the Apache packages on CentOS), but it seems to be intentional on the part of the RHEL (and CentOS) folks. It looks like it's sending it to syslog, but I don't know why that would be preferable to a dedicated log. Because suexec is a specialized problem, I like having it separate. It seems y'all do, too! So, upstream has seemingly changed it to syslog, and I'm not sure why.

I'm looking into it.

--

Check out the forum guidelines!

Sun, 12/25/2016 - 05:14
Joe
Joe's picture

Found it!

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7...

(Search for suexec in that, as there are a bunch of changes, not just this one.)

The reason is a great one! You just need to know that now you should look in /var/log/secure for your suexec error messages rather than in the old location. The reason is so that the suexec binary doesn't have to start with root privileges. It uses capabilities to su to other users, but because it never runs as root, it can't open a new log file in the Apache log directory, and can only log to syslog. That's actually really great! (If a little inconvenient, if you're used to the old way.)

--

Check out the forum guidelines!