Where is suexec log on Centos 7?

sfatula · May 11, 2015, 7:46pm

I note that suexec -V on centos 6 shows an AP_LOG_EXEC configuration, on Centos 7, it does not. I note that on Centos 6, there is a /var/log/httpd/suexec.log file with suexec issues, on Centos 7, there is no such file.

Is this intentional? Where would I find problems with suexec logged? I thought suexec was provided by Virtualmin repository. Curious as we are having what I believe is a USEXEC issue, but, can’t find any log.

Eric · May 11, 2015, 8:07pm

Howdy,

I would have figured it’d be in the same place too.

What is the output of this command:

rpm -qa | grep httpd

sfatula · May 11, 2015, 8:33pm


[root@host8 crm]# rpm -qa | grep httpd
httpd-2.4.6-18.el7.centos.vm.1.x86_64
httpd-tools-2.4.6-18.el7.centos.vm.1.x86_64
[root@host8 crm]#

On Centos 6:
[root@host9 ~]# suexec -V -D AP_DOC_ROOT="/home" -D AP_GID_MIN=100 -D AP_HTTPD_USER=“apache” -D AP_LOG_EXEC="/var/log/httpd/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX=“public_html”

On Centos 7:
[root@host8 crm]# suexec -V -D AP_DOC_ROOT="/home" -D AP_GID_MIN=100 -D AP_HTTPD_USER=“apache” -D AP_LOG_SYSLOG -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX=“public_html”

Not sure it matters, but, you can see your AP_LOG_EXEC is missing in Centos 7. May be intentional, just asking.

Mostafa · December 25, 2016, 11:05am

yh I have similar question / issue here as well

[root@sv httpd]# rpm -qa | grep httpd
httpd-2.4.6-40.el7.centos.4.vm.2.x86_64
httpd-tools-2.4.6-40.el7.centos.4.vm.2.x86_64
[root@sv httpd]# suexec -V
 -D AP_DOC_ROOT="/home"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_SYSLOG
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=500
 -D AP_USERDIR_SUFFIX="public_html"

Joe · December 25, 2016, 11:10am

That change isn’t intentional on our part, and it’s not a change that we made to the package (even though we do provide the Apache packages on CentOS), but it seems to be intentional on the part of the RHEL (and CentOS) folks. It looks like it’s sending it to syslog, but I don’t know why that would be preferable to a dedicated log. Because suexec is a specialized problem, I like having it separate. It seems y’all do, too! So, upstream has seemingly changed it to syslog, and I’m not sure why.

I’m looking into it.

Joe · December 25, 2016, 11:14am

Found it!

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Web_Servers.html#s2-apache-version2-changes

(Search for suexec in that, as there are a bunch of changes, not just this one.)

The reason is a great one! You just need to know that now you should look in /var/log/secure for your suexec error messages rather than in the old location. The reason is so that the suexec binary doesn’t have to start with root privileges. It uses capabilities to su to other users, but because it never runs as root, it can’t open a new log file in the Apache log directory, and can only log to syslog. That’s actually really great! (If a little inconvenient, if you’re used to the old way.)