I have migrated the OS from Centos 6 to Centos 7. Now I have lots of issues because of the upgrade. I have sorted out most of the issues except this one - CGI/Perl scripts end up with the dreaded Internal Server Error. I have dug into the log files and found that SUEXEC is complaining that 'Command not in docroot (/home/mydomain/public_html/cgi-bin/some.cgi).
This is what the suexec -V says:
suexec -V
-D AP_DOC_ROOT=“/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=“apache”
-D AP_LOG_SYSLOG
-D AP_SAFE_PATH=“/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=“public_html”
I have searched for changing the docroot for SUEXEC but met with no success.
I would be grateful for any pointers.
You cannot use suexec on Virtualmin 7 systems on CentOS, RHEL, Alma, or Rocky. We no longer distribute custom builds of httpd.
You probably shouldn’t be using CGI scripts at this point, but if you must, we added support for fcgiwrap. I’m not sure if CentOS 7 has fcgiwrap, but newer RHEL-based distros do in EPEL. That’s how we recommend running CGI scripts now. I don’t know exactly how you set that up, but you probably just need to install the package (if it’s available on CentOS 7 from the EPEL repo) and I guess Virtualmin will offer to use it for executing CGI. I haven’t used CGI in a long time, so I’m not sure about what the process looks like…but I imagine it can’t be very complicated.
But suexec is running in our system - Centos 7. And I think it is the reason why CGI scripts end up with “End of script output before header” (from apache error log) and command not in docroot (from suexec error).
It is so unfortunate that there is very little information about this. After all the work and countless hours I had spent on migrating to this server, I rue the day I consented to the migration.
That’s why you can’t use suexec on Virtualmin 7 systems. We no longer rebuild httpd packages.
You have the OS-provided httpd package, which has compiled in suexec docroot of /var/www, which is not where user homes live (and thus not where Virtualmin puts user websites). As I said, we now support fcgiwrap, which does the same thing, but without having Apache directly involved; this is potentially more secure (Apache is no longer running user code, even in a suexec-ed process), and does not require any custom packages. This is an improvement. It just doesn’t get talked about much, because CGI is considered deprecated by the web development community (and has been for some time). We still support it, it just doesn’t come up much.
Have you tried to install the fcgiwrap package, as I recommended above?
Thanks Joe. I had issues earlier with compiling apache and making it available for Virtualmin and I don’t want to risk adding additional package.
I solved the issue by removing the reference to the SuexecUserGroup.
Now the particular virtual server running the CGI scripts happily run without throwing any melodrama.
I have been maintaining these sites for almost a couple of decades and every time someone sneezes, I have to rework the scripts et al. A few months down the line, I expect to upgrade the OS and I don’t want to add one more factor to my travails.
Anyway I will compile the Apache binary with modified suexec_docroot in another server and see how it goes. Thanks again.
