Apache2 error.log and SuExecUserGroup messages...

Virtualmin
1

Hi all,

I was checking my Apache2 error log this morning and came across some of WARNING messages from SuExec. Here is part of my MAIN error.log:

Apache starts with:

[code:1][notice] Digest: generating secret for digest authentication …
[notice] Digest: done
[notice] Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8e DAV/2 mod_ruby/1.2.6 Ruby/1.8.6(2007-03-13) mod_perl/2.0.3 Perl/v5.8.8 configured – resuming normal operations
[notice] mod_fcgid: call /Volumes/home/www/site1/public_html/index.php with wrapper /Volumes/home/www/site1/fcgi-bin/php4.fcgi
[notice] mod_fcgid: call /Volumes/home/www/site2/public_html/index.php with wrapper /Volumes/home/www/site2/fcgi-bin/php4.fcgi
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.

[warn] Init: Session Cache is not configured [hint: SSLSessionCache][/code:1]

This happens every time I stop/restart Apache.
However, it starts just fine and from what I can tell so far, I think I have no PHP/CGI related issues or other errors. I checked all other error logs from my virtual servers and they don’t contain any SuExec warnings or errors.

Does this happen because SuExec docroot is not set to the default htdocs but to a different drive for my "home" directories? Since it seems to affect only the MAIN log file it looks like that to me.

How about the session cache warning? Where can I configure this in Virtualmin/Webmin?

Tony

2
Does this happen because SuExec docroot is not set to the default htdocs but to a different drive for my "home" directories? Since it seems to affect only the MAIN log file it looks like that to me.

No, I believe it’s that it can’t find the suexec binary. suexec is a program unto itself, and Apache needs to know how to find it. Check to see where it thinks it should be, and then make sure your suexec binary is really there and is really set suid:

httpd -V | grep SUEXEC_BIN

We have suexec docroot pointing somewhere other than the default document directory–so what you describe is definitely not a problem.

The session cache is set with the SSLSessionCache directive. In Webmin this directive can only be set using the Edit Config Files option (it’s usually preset and no one ever needs to change it…so why both cluttering up the interface…but I guess it isn’t set by default on Mac OS X).

The docs for this directive are here:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncache

3

Joe… you are right!

httpd -V | grep SUEXEC_BIN

-D SUEXEC_BIN="/usr/sbin/suexec"

Apache2 is a MacPort/Darwinport install and usually all paths are fixed and set to the ports directory. Only in this case it wasn’t… strange.

Would it be enough to symlink it?
Or where can I tell Apache where to find it?

Tony

4

Shoot… just read it on apache.org

The path to the suexec binary must be hard-coded in the server for security reasons. Use this option to override the default path. e.g. --with-suexec-bin=/usr/sbin/suexec

Will try if symlinking does the trick but I don’t think so. SuExec seems to be soooo picky.

Tony

5

Well… spoke to soon…
I was not quite right with the syntax when using Macports.

When I did:
httpd -V | grep SUEXEC_BIN

I was actually refering only to the internal OSX install of Apache but NOT the port. :wink:

So I actually had to do:
/opt/local/apache2/bin/httpd -V | grep SUEXEC_BIN

-D SUEXEC_BIN="/opt/local/bin/suexec"

and that is exactly the location of the suexec binary. Phew… thought I need to recompile Apache2 again…

But now I am back to where I was I guess. Why does SuExec throw these errors when stopping or restarting the server?

Tony

6

I dunno. :wink:

Are you sure you’re running the httpd that knows where to find your suexec? Is it actually setuid?

7

Yep… 100% sure…

I just wish I would know how to debug these messages. They used to appear if the Apache config was screwd up. But now Apache doesn’t show any warnings during startup so…

Oh well… I am still testing if there is any erratic behavior of scripts using SuExec. If I find out what causes this I’ll let you know…

Tony

8

Shouldn’t have said it again… I was really convinced the path to the suexec binary was set correct but…

I was just reading the suExec docu on apache.org again and it says specifically:

Upon startup of Apache, it looks for the file suexec in the directory defined by the --sbindir option (default is "/usr/local/apache/sbin/suexec"). If Apache finds a properly configured suEXEC wrapper, it will print the following message to the error log: [notice] suEXEC mechanism enabled (wrapper: /path/to/suexec)

THAT was the clue! I bet almost every install where suexec is NOT throwing this message it will NOT work properly, just like it did for me. Yeah sure it was working… but not the way it was supposed to. I find the warnings in the log only a bit limited to "guess" whats really going on.

Anyway, I recompiled the whole damn thing, changed the path, checked the path on apache2 and suexec again and again and as far as the warnings are concerned, they are no more. :wink:

Now, lets hope setuid and setgid is behaving.

Thanks again Joe,
Tony

9

Feedback: It works!

Tony

10

Awesome, thanks for the update Tony! Glad to hear things are progressing.

As you’ve noted you can’t screw around with paths and such when it comes to suexec–suexec is a really dangerous piece of code, as it can execute arbitrary code as any user. So, it refuses to do anything that might allow you to do something stupid.