Suexec error when Checking Configuration

33 posts / 0 new
Last post
#1 Thu, 09/25/2008 - 10:56
thetitan

Suexec error when Checking Configuration

I am running Virtualmin 3.62 GPL on CentOS 5.2

After the upgrade to Virtualmin 3.62 today, the system ported me to run configuration re-check. When I do it it returns the error below:

The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin base directory is /home. CGI and PHP scripts run as domain owners will not be executed. .. your system is not ready for use by Virtualmin.

What would be the easiest way to fix this without endangering the many sites, already hosted on the system, by messing up their config files?

Thu, 09/25/2008 - 12:50
Joe
Joe's picture

Just disable suexec in Virtualmin (Server Templates:Apache Website:Automatically add appropriate SuExec directive? set it to "No"). Obviously you're not using it, if scripts are working. ;-)

Longer term, if you have less than fully trusted users on your system, I'd suggest getting suexec setup correctly. We provide Apache packages for CentOS 5 that are appropriately configured for use with Virtualmin in our CentOS yum repo.

--

Check out the forum guidelines!

Fri, 09/26/2008 - 17:36 (Reply to #2)
shanta

I tried the install script but it dose not work. It seems my os is not supported. Debian lenney

Virtualmin was installed by the apt-get package. As a rule I use Debian packages as they should put things were Debian would expect them.

If installing Virtualmin from apt-get sources is not recommended than you should say so on that site or not provide that method of installation.

How to I fix the Suexec error (Webmin reports apache2 Next generation, scalable, extendable web server Running latest 2.2.4-3 Virtualmin)?

Shanta

Sat, 09/27/2008 - 13:21 (Reply to #3)
Joe
Joe's picture

<div class='quote'>I tried the install script but it dose not work. It seems my os is not supported. Debian lenney</div>

The OS support page is, I think, pretty clear about what is supported by the install script:

http://www.virtualmin.com/os-support.html

If you're using an OS not covered by that, then you'll have to perform a manual installation.

<div class='quote'>Virtualmin was installed by the apt-get package. As a rule I use Debian packages as they should put things were Debian would expect them.</div>

Of course. We always use the native package manager when possible. Personally, I'm obsessive about it...and I regularly scold folks for installing using tarballs and other assorted nonsense.

But, you're right. lenny is not supported. You'll have to perform a manual installation and configuration.

<div class='quote'>If installing Virtualmin from apt-get sources is not recommended than you should say so on that site or not provide that method of installation.</div>

Of <i>course</i> apt is the recommended source for packages! <i>But</i> there's a lot more to getting a fully functioning Virtualmin system than installing a few packages. There are dozens of configuration steps, and they are all very specific to the OS and version you're installing on.

If we haven't built a virtualmin-base package (which is the package that does all of the &quot;magic&quot; that you're expecting to have happened when you installed webmin-virtual-server) specifically for your OS, it will not work for your OS.

virtualmin-base is the package that installs and configures a system with most of the dependencies and other assorted fun stuff (apt-get does something stupid with regard to dependencies that conflict with already installed packages, so there's actually a bit more going on in the install script for Debian/Ubuntu than I'd like--we have to clean up and remove existing packages that will cause problems before installing virtualmin-base).

In short, if you're going to run on an OS unsupported by the automated installation process (which uses apt-get for everything), you'll need to perform a manual installation and configuration. And, you'll need to build your own Apache package with suexec_docroot set to /home.

We don't support beta/testing versions of operating systems (it's hard enough to support all of the stable platforms we support) in our installer. We expect folks that are running experimental systems are a bit more advanced than usual and able to handle the manual process.

--

Check out the forum guidelines!

Sat, 09/27/2008 - 19:47 (Reply to #4)
thetitan

<b>Joe wrote:</b>
<div class='quote'>Did you install Virtualmin using RPMs or wbm? (If the latter, why? I'm trying to figure out how to guide people better...we're still getting a lot of odd install processes that makes folks lives harder than it needs to be, and makes things harder to support.)</div>

It will be 1 year since I set up the server in couple of days. If I remember correctly, I installed Vmin by copying the URL from the webmin website and pasting it in webmin to handle the installation. It's usually what I do with webmin modules.I figured it was the best way to do it since one was made for the other and both were made by the same developers.

HTTPD was installed from the centos repo, although I have been updating it from utterramblings: www.jasonlitka.com

BTW, could you take a look at <a href='http://www.virtualmin.com/forums/virtualmin/unavailable-features-for-ser... target='_blank'>http://www.virtualmin.com/forums/virtualmin/unavailable-features-for-ser... and give me your opinion on the situation. I would greatly appreciate it.

Regards,

Alexandar

Sat, 09/27/2008 - 20:09 (Reply to #5)
Joe
Joe's picture

OK, I'm completely lost trying to follow this thread. We're talking about apt-get and Debian and CentOS and the utterramblings repo and all sorts of craziness. ;-)

Could whoever <i>didn't</i> start this thread start a new one on your particular topic (Debian or CentOS) and questions? I'm gonna try to catch up and figure out what I'm talking about...

--

Check out the forum guidelines!

Sat, 09/27/2008 - 20:17 (Reply to #6)
Joe
Joe's picture

<div class='quote'>HTTPD was installed from the centos repo, although I have been updating it from utterramblings: www.jasonlitka.com</div>

Unless this httpd was built with suexec_docroot set to /home, you can't use suexec on your system. You'll have to disable it, as I mentioned earlier in this thread (or maybe in another thread...I've mentioned it a half dozen times in the past few days, though!).

<div class='quote'>It will be 1 year since I set up the server in couple of days. If I remember correctly, I installed Vmin by copying the URL from the webmin website and pasting it in webmin to handle the installation. It's usually what I do with webmin modules.I figured it was the best way to do it since one was made for the other and both were made by the same developers.</div>

That installs modules. Nothing else. As long as you're willing and able to do all of the other stuff involved in getting a fully functioning virtual hosting server running, it'll work fine. (But it makes it harder for me to know anything about your system, and offer advice when problems arise...since I have no idea what your system looks like, since it isn't setup like our default.)

I don't want it to sound like you <i>can't</i> install things in any way you want. You certainly can, and we take great pride in Virtualmin being extremely flexible. However, installing a Webmin module does just that: it installs a Webmin module. If you expect it to do anything else (like install Apache or other services, configure them for use in Virtualmin hosting, etc.) you'll be disappointed. Installing a module is a non-invasive process--simply installing Webmin or any Webmin module does <i>nothing</i> to your system except install Webmin or the module, and it can't/shouldn't do anything more.

I'll try to make this distinction a lot more clear in the Webmin.com/Virtualmin.com site redesign that's ongoing. We're still obviously failing to guide people on what Virtualmin (the module) is and how to get Virtualmin (the full-stack product) installed easily and reliably.

--

Check out the forum guidelines!

Sun, 09/28/2008 - 04:51 (Reply to #7)
thetitan

<b>Joe wrote:</b>
<div class='quote'>That installs modules. Nothing else. As long as you're willing and able to do all of the other stuff involved in getting a fully functioning virtual hosting server running, it'll work fine. (But it makes it harder for me to know anything about your system, and offer advice when problems arise...since I have no idea what your system looks like, since it isn't setup like our default.)

I don't want it to sound like you can't install things in any way you want. You certainly can, and we take great pride in Virtualmin being extremely flexible. However, installing a Webmin module does just that: it installs a Webmin module. If you expect it to do anything else (like install Apache or other services, configure them for use in Virtualmin hosting, etc.) you'll be disappointed. Installing a module is a non-invasive process--simply installing Webmin or any Webmin module does nothing to your system except install Webmin or the module, and it can't/shouldn't do anything more.

I'll try to make this distinction a lot more clear in the Webmin.com/Virtualmin.com site redesign that's ongoing. We're still obviously failing to guide people on what Virtualmin (the module) is and how to get Virtualmin (the full-stack product) installed easily and reliably.</div>

At the time my understanding of Vmin was minimal. I was used to using webmin and manually editing and installing components. There have been changes to the webmin and Vmin sites and the information they provide. I always though that Vmin was just a module for Webmin, plus the system was already running httpd and mysql before I installed Webmin.

Do you have a page on the Vmin or Webmin sites that explains the difference between the Vmin module and Vmin RPM?

Sun, 09/28/2008 - 12:45 (Reply to #8)
Joe
Joe's picture

<div class='quote'>Do you have a page on the Vmin or Webmin sites that explains the difference between the Vmin module and Vmin RPM?</div>

There is no difference. Both contain the Virtualmin module and nothing else...just in two different formats. The RPM is preferred for folks who use RPM-based systems (and the deb is preferred for folks who use deb-based systems). But, .wbm (the Webmin module package format) has rudimentary dependency support, and can even work with the Virtualmin Package Updates module (though it's not easy obvious how to configure that capability).

In all cases, however, installing any of the virtual-server module packages just installs a Webmin module. It does no configuration of the system and installs no additional packages. To get a full &quot;Virtualmin system&quot;, you have to configure lots of other services (and install a few other Webmin modules, most importantly the security-updates module and the virtual-server-theme module, but there are a handful of additional modules to get other functionality for stuff like domain registrations, management of other database types like Oracle and SQLite, Mailman mailing list management, Subversion repos, etc.).

The Webmin and Virtualmin websites will be getting somewhat merged (by some definition of &quot;merged&quot;) in the not too distant future, and we'll hopefully make all of this stuff a lot more clear.

I think one of the big problems is that Virtualmin is used to refer to both the module and the whole product. I try to only refer to Virtualmin the module as &quot;the virtual-server module&quot; or &quot;the Virtualmin Virtual Servers module&quot;, and use the term &quot;Virtualmin&quot; only to refer to the whole stack of apps. But it's still easily confused. ;-)

--

Check out the forum guidelines!

Thu, 09/25/2008 - 13:22
thetitan

Hi Joe,

Thank you for your response. At this time it's me and 1 more user of the system, but I would like to secure the server some time in the future.

Is it possible to configure Suexec to use both /home and /var/www? If yes, can I do it without uninstalling and installing apps.

If not:
Which are the RPM that I need to install from your repo?
What is your repo's address?
When I uninstall and install the apps is anything going to majorly change and affect all the other settings/configurations on the server necessary for the websites to run properly or is the suexec run environment going to be the only thing changed?
Any config files I should back up first, that might be affected in the process?

Also, if you could have a look at this <a href='http://www.virtualmin.com/forums/virtualmin/unavailable-features-for-ser... target='_blank'>http://www.virtualmin.com/forums/virtualmin/unavailable-features-for-ser....

Thank you for your time.

Thu, 09/25/2008 - 14:14 (Reply to #10)
Joe
Joe's picture

<div class='quote'>Is it possible to configure Suexec to use both /home and /var/www?</div>

No.

<div class='quote'>What is your repo's address?</div>

Assuming you installed everything (including Webmin, and all Virtualmin modules) via RPM, it's safe to install virtualmin-release:

http://software.virtualmin.com/gpl/centos/5/i386/virtualmin-release-1.0-...

Which will setup both our universal repo (for Webmin packages) and the OS-specific repository for your OS version and architecture.

From there, just update httpd and related packages using yum:

yum update httpd

It might require you to update some other pieces.

This should be safe, but I obviously recommend you have good backups--but you're keeping good backups already, right? ;-)

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:29
web_support@web...

&Icirc;

Sun, 06/07/2009 - 07:29
web_support@web...

&Icirc;

Fri, 09/26/2008 - 05:10
andreychek

Yeah, the suexec path is a compile-time setting in the suexec binary.

Virtualmin does provide Apache packages that include suexec with /home compiled into suexec.

Another option is to disable suexec; it's less secure, but it might help you get by for the time being.

For the long-term, though, you'd probably want to consider using Virtualmin's Apache packages, that'll prevent problems like this from creeping up :-)
-Eric

Fri, 09/26/2008 - 06:06
web_support@web...

Can you post a link with details where I can find these debian apache packages for virtualmin. Can I add for example an apt repository on my sources.list?

I had no idea there were such packages till I encountered the problem

Thank you!

Fri, 09/26/2008 - 06:44 (Reply to #15)
andreychek

Well, in theory, performing a Virtualmin install would add them to /etc/apt/sources.list .

You said you're using Etch, which is supported. You can see the Virtualmin GPL repo here:

http://software.virtualmin.com/gpl/debian/dists/virtualmin-etch/

Fri, 09/26/2008 - 06:51
thetitan

Joe,

Thank you for your response, I will be working on this over the weekend. BTW, should I uninstall Vmin first, or can I just play the RPM over the old one?

Could you please have a look at <a href='http://www.virtualmin.com/forums/virtualmin/unavailable-features-for-ser... target='_blank'>http://www.virtualmin.com/forums/virtualmin/unavailable-features-for-ser....

Thank you.

Fri, 09/26/2008 - 10:30 (Reply to #17)
Joe
Joe's picture

<div class='quote'>BTW, should I uninstall Vmin first, or can I just play the RPM over the old one?</div>

No! Don't uninstall Virtualmin! That'll wipe out all of your Virtualmin meta-data, which could ruin your day if you're not keeping good backups. If you are keeping good backups, it'll just waste an hour or two of your time.

But I thought we were talking about Apache packages, which have nothing to do with the Virtualmin packages. (Though, I guess if you've been manually installing stuff all this time you might have some out of date stuff.)

Did you install Virtualmin using RPMs or wbm? (If the latter, why? I'm trying to figure out how to guide people better...we're still getting a lot of odd install processes that makes folks lives harder than it needs to be, and makes things harder to support.)

--

Check out the forum guidelines!

Fri, 09/26/2008 - 07:24
BossHog

Howdy yall,
just adding my experiences here, to build your confidence Thetitan.

I had the same problem on the last updates to my CentOS 4.7 server, the httpd etc.. made a change that whamo'd my V-min suexec.

Basically, I removed the CentOS stock packages:
httpd, httpd-manual, httpd-devel, httpd-suexec, mod_ssl, and mod_fcgid

Then, I installed the custom rpm's that Joe (and Jamie?) have so graciously made avaiable from their repo:
http://software.virtualmin.com/gpl/centos/
There is a repo for the Debian packages also.

My whole &quot;panic&quot; lasted about 15 minutes. Whern I was finished swapping out the rpm's my apache server actually seems a little more responsive.
Y.M.M.V.! But I found the process very easy.
HTH
Joe

P.S. --&gt; helpful links:
http://www.virtualmin.com/forums/help-home-for-newbies/suexec-doc_root-i...
and
http://software.virtualmin.com/gpl/debian/

Fri, 09/26/2008 - 07:50
thetitan

Great Thanks BossHog. I'm glad I have an open weekend in case of mess ups :)

Fri, 09/26/2008 - 10:23
web_support@web...

I have virtualmin pro installed on debian etch

When I add the following repository
[code:1]deb http://software.virtualmin.com/gpl/debian virtualmin-etch main[/code:1]
and do
[code:1]aptitude update &amp;&amp; aptitude dist-upgrade[/code:1]
i get all the following packages ready to update
<div class='quote'>[apache2 apache2-mpm-prefork apache2-utils apache2.2-common clamav-data phpmyadmin usermin webmin webmin-virtual-server</div>
so I did instead
[code:1]aptitude install apache2 apache2-mpm-prefork apache2-utils [/code:1]

My concern was that I have virtualmin pro installed. Will the following repository try to install the gpl version on top of the pro and mix things up? I have a lot of sites in my server and i can't risk anything.

Is this repository for the pro version as well, or should i use another repositiry or procedure?

Thanks everyone!

Fri, 09/26/2008 - 10:26 (Reply to #21)
Joe
Joe's picture

[quote]Is this repository for the pro version as well, or should i use another repositiry or procedure?[quote]

The gpl repository is <i>not</i> for Professional. Using it will downgrade your Virtualmin to the GPL version.

You need the Professional repositories instead. They are all documented here:

http://www.virtualmin.com/component/option,com_openwiki/Itemid,48/id,man...

--

Check out the forum guidelines!

Fri, 09/26/2008 - 10:40
web_support@web...

Thanks Joe,
Not sure how to add to sources.list the authorization required though.

Can I use sources.list to automate the dependencies or should I manually download the packages and install.

Is this correct?
[code:1]deb http://mylicencekey:myserial@software.virtualmin.com/ virtualmin-etch main[/code:1]

Vagelis

Fri, 09/26/2008 - 10:44 (Reply to #23)
Joe
Joe's picture

<div class='quote'>Not sure how to add to sources.list the authorization required though.</div>

Both apt-get and yum use standard URL syntax:

http://serial:license@software.virtualmin.com/blah/blah

<div class='quote'>Can I use sources.list to automate the dependencies or should I manually download the packages and install.</div>

I don't know. What are you trying to do?

--

Check out the forum guidelines!

Fri, 09/26/2008 - 10:46 (Reply to #24)
andreychek

Hrm, your sources line isn't showing up above... however, for Debian Etch, you might use something like this:

deb http://VIRTUALMIN_SERIALNUM:VIRTUALMIN_LICENCENUM@software.virtualmin.co... virtualmin-etch main

How did you end up doing your install? Had you used the install.sh script? And if so, can you verify that there isn't a line similar to the above already in sources.list?
-Eric

Fri, 09/26/2008 - 10:49
web_support@web...

(the code tag didn't display correctly)
I used

deb http://mylicence:mykey@software.virtualmin.com/ virtualmin-etch main

on my sources.list

But with no luck. I don't know how to pass authorization through apt.

Thanks!

Fri, 09/26/2008 - 10:52
web_support@web...

Thanks everyone!

I corrected the sources.list as you mentioned (i had putted licence and key vice versa) and that passed the authorization!

Vagelis

Fri, 09/26/2008 - 10:59
web_support@web...

Eric
I did not do the setup with the script.
I had the gpl version for a while, I manually changed settings in apache and other webmin modules to pass the config check
Then i installed pro through the web-interface of the gpl.

I can see now that it was a painfull and procedure (not the best) and the problems arise now and then

Anyway thanks everyone! My problems seem to be solved!

Fri, 09/26/2008 - 14:16
shanta

I have this problem with a system entirely installed by Webmin. Webmin was installed by apt-get by adding the link above to apt-get sources. This was all before any programs were installed.

Why did Webmin/Virtualmin not install apache etc correctly? It was not on the server to start with.

Do I have to uninstall all the programs and do it again?

Shanta

Fri, 09/26/2008 - 14:43 (Reply to #29)
andreychek

Howdy,

While it's possibly to get a working Virtualmin system by individually installing things through apt-get, that's the hard way.

The best way to get Virtualmin up and running is to use the install.sh installer, which is designed to handle pulling in all the dependencies.

Ideally, you'd have a freshly installed system, and you'd run the installer on that.

In your case -- if your system isn't live yet, you may be able to get things working by executing the installer:

GPL: http://webmin.com/vinstall.html
Pro: http://virtualmin.com/serial/

You'd be best off by running that on a fresh system though.

If things are live, well, that's a little trickier :-) You'd need to fix things on a case by case basis -- if you need the Virtualmin Apache packages, you could manually install those in place of your current ones.

Of course, while it should work fine, you'll want to make sure you have some backups made ;-)
-Eric

Fri, 09/26/2008 - 14:53 (Reply to #30)
Joe
Joe's picture

Howdy Shanta,

Webmin is not the way to install a full Virtualmin stack. If you just install the Virtualmin module, you're just installing the Virtualmin module.

To get a full install of Virtualmin and all of its dependencies, including our software repositories and such, you need to run our install.sh script (assuming your running a supported OS). This is documented in the installation documentation. If you hate reading lots of documentation, at least read the quickstart install guide:

http://www.virtualmin.com/documentation/id,virtualmin_installation_quick...

We recommend you <i>not</i> install Webmin before installing Virtualmin. It probably won't hurt anything in the installation process, but it's a waste of your time (and if you install via tarball or using a package from a source other than Webmin.com or Virtualmin.com, it will cause weird issues down the road that are very time consuming to correct).

--

Check out the forum guidelines!

Sun, 09/28/2008 - 03:02
molski

Boy....am I glad I wansn't the only one with the Recheck Config error :)

After reading 2 or 3 topics I also checked my config and these were all the steps I have performed to get SuExec and the Recheck Config working properly!

[code:1][root@# ~]# /usr/sbin/suexec -V/usr/sbin/suexec -V
suexec policy violation: see suexec log for more details
[root@molskiweb ~]# /usr/sbin/suexec -V
-D AP_DOC_ROOT=&quot;/var/www&quot;
-D AP_GID_MIN=100
-D AP_HTTPD_USER=&quot;apache&quot;
-D AP_LOG_EXEC=&quot;/var/log/httpd/suexec.log&quot;
-D AP_SAFE_PATH=&quot;/usr/local/bin:/usr/bin:/bin&quot;
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=&quot;public_html&quot;
[root@# ~]# rpm -qf /usr/sbin/httpd
httpd-2.2.3-11.el5_1.centos.3[/code:1]

I was also running the CentOS version of Apache and SuExec with the incorrect 'DOC ROOT'.

So I performed this command:
[code:1][root@# ~]# rpm -ivh http://software.virtualmin.com/gpl/centos/5/i386/virtualmin-release-1.0-...

And after that one a simple:
[code:1][root@# ~]# yum update httpd[/code:1]

Where it updated the following packages without problems:
[code:1]=============================================================================
Package Arch Version Repository Size
=============================================================================
Updating:
httpd i386 1:2.2.3-11.el5.3vm virtualmin 2.5 M
Updating for dependencies:
mod_ssl i386 2:2.2.3-11.el5.3vm virtualmin 314 k
[/code:1]

Update complete!
[code:1][root@# ~]# rpm -qf /usr/sbin/httpd
httpd-2.2.3-11.el5.3vm
[root@molskiweb ~]# /etc/init.d/httpd status
httpd (pid 16306 16305 16304 16303 16302 16301 16300 16299 16283) is running...
[root@# ~]#
[/code:1]

Everything is working perfect and the my configuration is okay again ;)

Molski

Sun, 09/28/2008 - 03:04 (Reply to #32)
molski

Okay, somehow 2 of the command are not shown in the &quot;code&quot; section :(

So here they are:

1) rpm -ivh http://software.virtualmin.com/gpl/centos/5/i386/virtualmin-release-1.0-...

2) yum update httpd