0

I have a httpd server 

SuexecUserGroup         netmet netmet
DocumentRoot            /home/netmet/html
ServerName
ServerAdmin
ErrorLog                /var/log/httpd/netmet.error
TransferLog             /var/log/httpd/netmet.access
DirectoryIndex          index.cgi index.html

AliasMatch              /netmet-cgi-bin/nmHOST-4.*-DETAILS(.*)\.cgi /usr/lib/cgi-bin/netmet-cgi-bin/nmHOST-DETAILS$1.cgi
AliasMatch              /netmet-cgi-bin/nmHOST-4.*-SERVICES(.*)\.cgi /usr/lib/cgi-bin/html/netmet-cgi-bin/nmHOST-SERVICES$1.cgi
AliasMatch              /netmet-cgi-bin/nmTOP_NforORGA4-.*\.cgi /usr/lib/cgi-bin/netmet-cgi-bin/nmTOP_NforORGA.cgi

AddHandler              cgi-script .cgi .pl

When I try to access to those scripts with my server, I get 500 internal server error so I check error.log :

[Fri Jun 02 09:07:01.467017 2017] [core:notice] [pid 31617] AH00094: Command line: '/usr/sbin/apache2'
suexec policy violation: see suexec log for more details

Now the suexec.log :

[2017-06-02 09:07:26]: uid: (1001/netmet) gid: (1001/netmet) cmd: index.cgi
[2017-06-02 09:07:26]: command not in docroot (/home/netmet/html/index.cgi)

After looking on the web a solution, people advice to do 

~# /usr/lib/apache2/suexec -V
-D SUEXEC_CONFIG_DIR=/etc/apache2/suexec/
-D AP_GID_MIN=100
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100

Why DOC_ROOT is not displayed ??

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
klaypez
  • 303
  • 1
  • 2
  • 9

1 Answers1

1

You can change it after install apache2-suexec-custom:

apt-get install apache2-suexec-custom

and change config in:

/etc/apache2/suexec

and restart apache2 service

Krzysztof Stasiak
  • 798
  • 5
  • 18
  • Already tried to install it but the thing I don't understand is that after changing the two lines in `/etc/apache2/suexec/www-data`, when I do `/usr/lib/apache2/suexec -V` still shows **AP_DOC_ROOT="/var/www"** – klaypez Jun 02 '17 at 07:56
  • Do you restart your Apache service? – Krzysztof Stasiak Jun 02 '17 at 07:59
  • I did but no changes appear – klaypez Jun 02 '17 at 08:00
  • Did you install apache from package or build from sources? – Krzysztof Stasiak Jun 02 '17 at 08:15
  • You can build apache from sources and use --with-suexec-docroot=DIR too. – Krzysztof Stasiak Jun 02 '17 at 08:21
  • The problem is that I did it from package and idk if build and recompile with this command will delete existant files – klaypez Jun 02 '17 at 08:33
  • ok, i see now that you are using non default user of web server, rename or copy /etc/apache2/suexec/www-data to /etc/apache2/suexec/netmet – Krzysztof Stasiak Jun 02 '17 at 12:27
  • done and now what's next ? – klaypez Jun 02 '17 at 12:45
  • and something was changing? what in logs after reload apache2 and run script? – Krzysztof Stasiak Jun 02 '17 at 13:17
  • I solved my problem but the copy of /etc/apache2/suexec/www-data to /etc/apache2/suexec/netmet didn't change anything. I did some tests and the suexec file that apache2 uses seems to be the `/etc/apache2/suexec/www-data`, something strange is that in my httpd.conf the directive `SuexecUserGroup` specify the user and group `netmet` but it looks like he doesn't care about it and still use the user `www-data` but I had enough problems for the moment and everything works so doesn't matter ! Thanks for your help and i'll tag it as solved ! – klaypez Jun 02 '17 at 13:49