hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : SuExec wrapper problem in Plesk
Reply

Forum Jump

SuExec wrapper problem in Plesk

Reply Post New Thread In Hosting Software and Control Panels Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 04-07-2001, 06:09 AM
talash talash is offline
WHT Addict
 
Join Date: Sep 2000
Location: Calcutta, India
Posts: 143
Unhappy

Hi,

I am hosting with catalog.com with a Red Hat server running Plesk as server administration software. I am finding a lot of problems in this reference and would appriciate any help from you guys.

I am facing the problem in the CGI division. I am continiously getting "Prematures end of script headers problem" Also I am getting "File Open permission denied errors". I have shifted a lot of my customers from my previous hosting company which has gone out of business to this server and many scripts which were running on the previous server, after modification of path is not working on this server.

I am having a feeling that this is due to the SuEXEC permission system, which was not there on the previous server. Can you guys advice me as how to go about solving this problem.

I look forward to your help in desperation.

Thanx for all your help.

__________________
Submit2Please.com - Submit your site to 500+ SEO friendly directories
EasySiteEdit.com - Point. Click. Edit. Works with existing site.



Sponsored Links
  #2  
Old 04-18-2001, 03:39 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
If you didn't have SuEXEC enabled on the previous server and do on the new one and that is creating your problems (and it definitely can if you try to just change it directly over), then you should be able to simply disable SuEXEC and that should solve the immediate problem.

To do this, locate the "suexec" file, usually in /usr/local/apache/bin or /etc/httpd/bin or /usr/sbin or /sbin, etc. (type in "locate suexec" in a shell prompt to find it, if you have that option available). When you locate it, rename it to suexec_old or something. Then, check the web server for the User and Group directives and comment them out, so you don't get errors in that aspect, and then simply restart the web server.

In worse case, you'll need to uncomment the User and Group directives, (which shouldn't be needed, unless you are using SuEXEC and have the files ownership and permissions set accordingly), and rename the suexec_old file back to it's original name and restart the web server.

I'd suggest running the SuEXEC wrapper, rather than allowing people's scripts to all run as the same global user, but that doesn't require some initiative and changes, albeit fairly common, basic and simple. However, unless those changes are made (owner and group set properly, as well as permissions), then it certainly can pose a problem and give errors for certain users, depending on the permissions and ownership of files and/or directories... and what their script is doing.

  #3  
Old 04-18-2001, 03:45 AM
talash talash is offline
WHT Addict
 
Join Date: Sep 2000
Location: Calcutta, India
Posts: 143
Lightbulb Thanx Tim

Thanx Tim,

That was a useful piece of information. I hope I get it solved asap.

However I would be greatful, if you can point me to some resources in reference to Suexec !

Regards
Abhishek

__________________
Submit2Please.com - Submit your site to 500+ SEO friendly directories
EasySiteEdit.com - Point. Click. Edit. Works with existing site.

Sponsored Links
  #4  
Old 04-18-2001, 04:57 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Re: Thanx Tim

Quote:
Originally posted by talash
Thanx Tim,

That was a useful piece of information. I hope I get it solved asap.

However I would be greatful, if you can point me to some resources in reference to Suexec !

Regards
Abhishek
Nothing better than the Apache doc's, if you need any help after this, let me know. If I get some free time, I'mm offer my help and get your settled. In the meantime, here's a link:

http://httpd.apache.org/docs/suexec.html

  #5  
Old 04-18-2001, 05:40 AM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
Personally I've found the suexec documentation rather lacking. This is probably deliberate: They state at one point that "if you need documentation for this you don't know enough to be using setuid code".

My prefered reference for suexec is suexec.c.

  #6  
Old 04-18-2001, 06:19 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Quote:
Originally posted by cperciva
Personally I've found the suexec documentation rather lacking. This is probably deliberate: They state at one point that "if you need documentation for this you don't know enough to be using setuid code".

My prefered reference for suexec is suexec.c. ;)
Ha, yes, this is true.. it can be rather daunting for people that aren't familiar. Certainly though, if people don't understand how to install it properly, they can make themselves a nice security hole. :-)

I assume that basically anyone that hasn't installed SuEXEC before, or doesn't have step-by-step instructions, will need help, because that's just the way it goes with some of the Apache modules and whatnot. :-)

  #7  
Old 04-21-2001, 04:50 AM
talash talash is offline
WHT Addict
 
Join Date: Sep 2000
Location: Calcutta, India
Posts: 143
Lightbulb help would be appriciated

Hi Tim,

Thanx for your helpful reply. I have gone through the suexec documentation several times, but have not been able to figure out few things to get going on my server.

Firstly, I think i need to take a backup of the httpds.conf file, so that whatever wrong happens, i can get back to the original status.

Next, I want to ask that I am using Plesk, which in fact automatically updates these configuration files. Will that effect my changes ? How do i go about doing it in this case ?

Also, even if we remove the suexec wrapper, a specified above, will the cgi programs start running or do i need to do something special to make them run ?

Any help from your side will be highly appriciated.

Regards
Abhishek Rungta

__________________
Submit2Please.com - Submit your site to 500+ SEO friendly directories
EasySiteEdit.com - Point. Click. Edit. Works with existing site.

  #8  
Old 04-21-2001, 04:59 AM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
If you remove the suexec wrapper -- or more specifically, if apache can't find it when it starts -- apache will not attempt to suexec cgi scripts but will instead run them with its own priviledges. Yes, cgi scripts will run, but they will be hopelessly insecure... by far the best option is to have a working (possibly heavily modified ) suexec installed.

  #9  
Old 04-22-2001, 05:40 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Quote:
Originally posted by cperciva
If you remove the suexec wrapper -- or more specifically, if apache can't find it when it starts -- apache will not attempt to suexec cgi scripts but will instead run them with its own priviledges. Yes, cgi scripts will run, but they will be hopelessly insecure... by far the best option is to have a working (possibly heavily modified ;) ) suexec installed.
Agreed, but remember too, that more people than not, are more likely to write CGI scripts that will open up more of a security hole for their particular account, since any scripts running as their user have permission to delet or alter all files on their account, just as their user would. Of course, if people write poor code, that's their problem and it provides better protection, globally speaking and I would still enforce SuEXEC. If you still need help, email me and I'll see what I can do for you.

  #10  
Old 04-22-2001, 05:45 AM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
Quote:
Originally posted by Tim_Greer
[lusers are idiots]
Yes, but remember about natural selection. If you use suexec, the lusers who kill their accounts are the clueless ones who are costing you lots of support time... while if you don't use suexec, you immediately lose any clueful users you once had.

  #11  
Old 04-22-2001, 11:15 PM
Rehan Rehan is offline
Web Hosting Guru
 
Join Date: Oct 2000
Posts: 279
Re: help would be appriciated

Quote:
Originally posted by talash
Next, I want to ask that I am using Plesk, which in fact automatically updates these configuration files. Will that effect my changes ? How do i go about doing it in this case ?
Unfortunately, I think you may be out of luck... Plesk updates the httpsd.conf file anytime you make a change in the site configurations through Plesk. While you can set the httpsd.stub.head and httpsd.stub.tail files, I think there's no way to fine-tune how virtual host settings are written.

Getting the scripts to work with SuEXEC is probably less of a hassle.

  #12  
Old 04-22-2001, 11:38 PM
thewebbie thewebbie is offline
Junior Guru Wannabe
 
Join Date: Mar 2001
Posts: 52
SUEXEC is no mystery people...

SUEXEC governs CGI security and has very strict rules. To troubleshoot CGI problems it is best that:

1) All the files must be owned by the user and group set in the VirtualHost in httpd.conf;

2) All files and directories where CGI will be exec must not be world or group writable and must be at least user exec. Directories and Scripts should both set to 755 permissions;

3) Data files that CGI scripts read and write must not be group or world writable;

4) If number 1 through 3 are true and the scripts still do not work check the following logs:
/var/log/httpd/suexec_log (this will tell you if SUEXEC is failing the script)
/var/log/httpd/error_log (this will tell you what the script is failing on if the script passes SUEXEC checks);

5) Add a "-w" to the first line of a perl script, i.e.,

# !/usr/local/bin/perl -w

This will add more verbose errors to the error_log;

6) Check your code. Frequently there may be a line not closed with ";" or a routine that is not closed;

7) Make sure that all modules and include files that are required by the scripts are located on the server and are in the proper locations.


For more help with CGI troubles, see the following resources:

Suexec Info:
http://httpd.apache.org/docs/suexec.html

Help with CGI:
http://www.stars.com/Authoring/CGI/
http://www.extropia.com/tutorials/misc/sherlock.html
http://www.extropia.com/tutorials/we...ite_intro.html

PERL resources Links:
http://www.stars.com/Authoring/Langu.../Resources.htm

__________________
http://www.internetlabs.net/

  #13  
Old 04-23-2001, 12:00 AM
talash talash is offline
WHT Addict
 
Join Date: Sep 2000
Location: Calcutta, India
Posts: 143
The real problem

Quote:
Originally posted by cperciva


Yes, but remember about natural selection. If you use suexec, the lusers who kill their accounts are the clueless ones who are costing you lots of support time... while if you don't use suexec, you immediately lose any clueful users you once had.
You know buddy, the real problem. Most of the customers, I have got are not expert with SuEXEC. They write poor codes most of the time and when the script does not run, they blame us for it. One of the customer has already left us for this .

This is the reason I want to run without SuEXEC. After reading the post that Plesk is not flexible enough to make the apache run without Plesk, I feel really tensed. I am loosing the confidence to market my service though the speed is great and everything works fine.

I have to find a solution.

Abhishek

__________________
Submit2Please.com - Submit your site to 500+ SEO friendly directories
EasySiteEdit.com - Point. Click. Edit. Works with existing site.

  #14  
Old 04-23-2001, 01:34 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Quote:
Originally posted by thewebbie
SUEXEC is no mystery people...

[SNIP]

No, it's not a mystery. In fact, provided the user's have the correct permissions and everything else likely will be correct by default (i.e., ownership) upon uploading or creation, there's not really much to it -- and in reality, those scripts _should_ fail to execute. I personally believe SuEXEC should be enforced by default. However, we're talking not only about my opinions, etc., nor yours, but people that have users that SuEXEC gives the problems to, that you can explain in-depth about an they still won't get it.

Still, I think those user's are going to be lost anyway at that poing. But, this person was asking about this, not for their sake, but for the sake that they probably don't know how to write a cron job to go and check and set the proper permissions every-so-often, automatically. This is what I did, to avoid user's having to ask questions about permissions that they didn't understand, it just fixes and sets it all for them automatically. The same can be done with the FTP server, to automatically set the proper permissions, etc. and still not just be guessing.

However, this might not be a viable solution for everyone and their business -- even if they should make it one. Basically, SuEXEC is easy to set up, and as long as people set their files at the permissions they are supposed to be, they should have no problems with SuEXEC, well, not anymore problems than they would have without it anyway, which is another issue, since SuEXEC has everything set up for you and yes, the checking it does is a _good_ thing.

  #15  
Old 04-23-2001, 02:28 AM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
Quote:
Originally posted by Tim_Greer
write a cron job to go and check and set the proper permissions every-so-often, automatically. This is what I did, to avoid user's having to ask questions about permissions that they didn't understand, it just fixes and sets it all for them automatically.
You know, that would *really* scare me. If my files kept having their permissions changed, I would be convinced that someone had broken into the system and was messing with stuff; I would never even consider the possibility of a cron job which was doing that.

Wouldn't it be polite to at least send an email to the relevant lusers telling them "one of your files was permitted wrong, we fixed it for you"?

Reply

Related posts from TheWhir.com
Title Type Date Posted
Media Temple Rolls Out Parallels Plesk 12 to VPS Hosting Accounts Web Hosting News 2014-07-21 12:58:47
Parallels Simplifies WordPress Management and Security with Parallels Plesk 12 Web Hosting News 2014-06-26 16:50:35
IT Monitoring Solution Anturis Adds Parallels Plesk Integration Web Hosting News 2014-02-26 09:58:52
Cisco Researcher Discovers Possible Exploit Vector for DarkLeech Attacks Web Hosting News 2013-04-26 10:19:35
Cirrus Tech Improves Plesk Integration, Expands OS Offerings with VPS Services Web Hosting News 2012-09-28 14:21:20


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?