# Executing CGI scripts in /home/*/public_html/cgi-bin

## Y z

I don't seem to be able to get it to work, the (I think) relevant part

in commonapache.conf is:

```

 <Directory /home/*/public_html>

     AllowOverride All

     Options MultiViews -Indexes Includes FollowSymLinks +ExecCGI

     Order allow,deny

     Allow from all

 </Directory>

 <Directory /home/*/public_html/cgi-bin>

     Options +ExecCGI -Includes -Indexes

     SetHandler cgi-script

 </Directory>

```

But all I get in the error_log is:

 *Quote:*   

> 
> 
> Tue Jul  9 10:26:01 2002] [error] [client 127.0.0.1] Premature end of script headers: /home/yz/public_html/test.cgi
> 
> [Tue Jul  9 10:26:42 2002] [error] (13)Permission denied: exec of /home/yz/public_html/test.cgi failed
> ...

 

I have chmod a+x the test.cgi and made sure the world has an

access path to /home/yz/public_html.

The /cgi-bin/test-cgi (working from /home/httpd/cgi-bin) is working 

just fine... 

Anyone got any suggestions?

----------

## Scandium

what about

/home/*/public_html/cgi-bin/test.cgi

?

----------

## Y z

 *Scandium wrote:*   

> what about
> 
> /home/*/public_html/cgi-bin/test.cgi
> 
> ?

 

Both ~yz/test.cgi and ~yz/cgi-bin/test.cgi do not seem to work.

----------

## Nitro

 *Y z wrote:*   

> 
> 
> But all I get in the error_log is:
> 
>  *Quote:*   
> ...

 

See that premature end of script headers?  That means you aren't providing a header, or suEXEC is nuking the script before apache sends the output.

Run "suexec -V" and it will say its log location, in most cases it should be /var/log/apache/suexec_log.  Check that file, and show us what it outputs.

Also, make sure that the CGI outputs a valid header, ie: 

```
        print "Content-type: text/html\r\n\r\n";
```

----------

## Y z

 *Nitro wrote:*   

>  *Y z wrote:*   
> 
> But all I get in the error_log is:
> 
>  *Quote:*   
> ...

 

I am doing that. Let me include the script (should have in the 

first place):

```

#!/usr/bin/perl

##

##

use CGI;

use CGI::Carp qw( fatalsToBrowser );

my $cgi = CGI->new;

print $cgi->header,

      $cgi->start_html(title => 'Test Page'),

      $cgi->h1("Hello world"),

     "Go away.",

      $cgi->end_html,

      "\n"

;

```

The $cgi->header does the work.

Maybe it is something deep inside Apache? Just checked my

Debian box, and I can't get it to work under home/*/public_html

either...[/code][/i]

----------

## Nitro

 *Y z wrote:*   

> I am doing that.

 

 *Nitro wrote:*   

> See that premature end of script headers?  That means you aren't providing a header, or suEXEC is nuking the script before apache sends the output.
> 
> Run "suexec -V" and it will say its log location, in most cases it should be /var/log/apache/suexec_log.  Check that file, and show us what it outputs.
> 
> 

 

If you are using the standard apache ebuild, you have suEXEC, would you share with us its logs?

----------

## Y z

 *Quote:*   

> 
> 
> Run "suexec -V" and it will say its log location, in most cases it should be /var/log/apache/suexec_log.  Check that file, and show us what it outputs.
> 
> 

 

# suexec -V          

 -D DOC_ROOT="/home/httpd/htdocs"

 -D GID_MID=100

 -D HTTPD_USER="apache"

 -D LOG_EXEC="/var/log/apache/suexec_log"

 -D SAFE_PATH="/bin:/usr/bin"

 -D UID_MID=1000

 -D USERDIR_SUFFIX="public_html"

#

 *Quote:*   

> 
> 
> If you are using the standard apache ebuild, you have suEXEC, would you share with us its logs?

 

# cat /var/log/apache/su*

cat: /var/log/apache/su*: No such file or directory

Strange, eh?

----------

## Nitro

 *Y z wrote:*   

> # cat /var/log/apache/su*
> 
> cat: /var/log/apache/su*: No such file or directory
> 
> Strange, eh?

 

When you start apache, do you see something like the following in your error log?: 

```
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
```

Try touching the file, and then restarting apache to see if it will write to it.

----------

## Y z

 *Quote:*   

> When you start apache, do you see something like the following in your error log?: 
> 
> ```
> [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> ```
> ...

 

Yup: 

```
[Tue Jul  9 10:14:08 2002] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
```

 *Quote:*   

> Try touching the file, and then restarting apache to see if it will write to it.

 

Did so. Keeps empty...

Should the user 'apache' be able to execute thing? Say, should

```
 # su apache -c /usr/bin/ls
```

 work? 

It doesn't, but I assume this is as to expected if your shell is 

/bin/false; ain't it?

Still puzzled...

----------

## mrhellmann

To get cgi scripts to work in a user's directory  (/home/*/public_html/cgi-bin) you might want to take a look at this http://httpd.apache.org/docs/misc/FAQ-F.html#user-cgi.  Try number 13 in the faq.

mrhellmann

----------

## Y z

 *mrhellmann wrote:*   

> To get cgi scripts to work in a user's directory  (/home/*/public_html/cgi-bin) you might want to take a look at this http://httpd.apache.org/docs/misc/FAQ-F.html#user-cgi.  Try number 13 in the faq.
> 
> mrhellmann

 

Same negative result in both... I am really stunned by this!

----------

## Nitro

I'm really curious as to why suEXEC isn't printing.  Try taking the exec bits off the /usr/sbin/suexec, then restart apache; should say suEXEC disabled in the error log.

----------

## Y z

 *Nitro wrote:*   

> I'm really curious as to why suEXEC isn't printing.  Try taking the exec bits off the /usr/sbin/suexec, then restart apache; should say suEXEC disabled in the error log.

 

HOORAY! This turned out to be the magic sequence:

bash-2.05a# chmod -x /usr/sbin/suexec 

bash-2.05a# /etc/init.d/apache restart

 * Stopping apache...                                                     [ ok ]

 * Starting apache...                                                     [ ok ]

bash-2.05a# less /var/log/apache/error_log 

<same result>

bash-2.05a# ls -al /var/log/apache/suexec_log 

-rw-r--r--    1 root     root            0 Jul 10 09:23 /var/log/apache/suexec_log

bash-2.05a# chmod a+x /usr/sbin/suexec 

bash-2.05a# /etc/init.d/apache restart

 * Stopping apache...                                                     [ ok ]

 * Starting apache...                                                     [ ok ]

But now I wonder: what were the original mod bits on suexec?

Now it's 755, but I wonder whether that is ok?

Wow! Thanks

Y z

----------

## rac

 *Y z wrote:*   

> But now I wonder: what were the original mod bits on suexec?

 

4710, root.apache.  I don't think suexec will run unless it's suid root.

----------

## Y z

 *rac wrote:*   

>  *Y z wrote:*   But now I wonder: what were the original mod bits on suexec? 
> 
> 4710, root.apache.  I don't think suexec will run unless it's suid root.

 I guess so, but here it will only work with 4711 not with 4710. 

Is that ok?

----------

## rac

 *Y z wrote:*   

> here it will only work with 4711 not with 4710.  Is that ok?

 

You might want to have a look at http://www.geocrawler.com/archives/3/192/1997/11/100/2259366/ and see if it is relevant to your situation.

----------

## Y z

 *rac wrote:*   

>  *Y z wrote:*   here it will only work with 4711 not with 4710.  Is that ok? 
> 
> You might want to have a look at http://www.geocrawler.com/archives/3/192/1997/11/100/2259366/ and see if it is relevant to your situation.

 

Possibly, but that would not solve my problem, since it suggests

the non-working 4710 instead of the working 4711.

I am once again flabbergasted...

Now I know what it is, I don't know how to proceed. 

I wonder why (apparently) so few people have encountered this?

Y z

----------

## rac

 *Y z wrote:*   

> Possibly, but that would not solve my problem, since it suggests
> 
> the non-working 4710 instead of the working 4711.

 

If you're not worried about the potential exploit (ie you don't have untrusted users with accounts on the system or you don't have anything worth exploiting on the machine), then go ahead and use 4711.

Does adding your 'yz' user to the apache group affect anything?

----------

## Y z

 *rac wrote:*   

> 
> 
> If you're not worried about the potential exploit (ie you don't have untrusted users with accounts on the system or you don't have anything worth exploiting on the machine), then go ahead and use 4711.
> 
> 

 

I'll go ahead then...But it still won't execute in ~yz, only in ~yz/cgi-bin.

Good heavens...

 *rac wrote:*   

> 
> 
> Does adding your 'yz' user to the apache group affect anything?

 

It was added all the time.

Thanks for the help thus far, by the way. But the Apache has become

no less mysterious a beast than it already was, I'm afraid...

Y z

----------

## rac

 *Y z wrote:*   

> it still won't execute in ~yz, only in ~yz/cgi-bin.

 

Scrolling back up the thread, it looks like the only difference between those two in your config is the "SetHandler cgi-script" - is the proper handler not being triggered?  Do you have a global "AddHandler cgi-script .cgi" somewhere?

 *Quote:*   

>  *rac wrote:*   Does adding your 'yz' user to the apache group affect anything? 
> 
> It was added all the time.

 

Oh well.  I wonder what user is attempting to run suexec that isn't in the apache group, because that's the only difference I can think of between having it 4710 and 4711.  nobody?  can't be apache.

 *Quote:*   

> But the Apache has become no less mysterious a beast than it already was, I'm afraid...

 

I'm sure you've read a fair amount of it, but there's a boatload of info at http://httpd.apache.org/docs/; related specifically to your current situation perhaps http://httpd.apache.org/docs/howto/cgi.html can do a better job of explaining running CGI programs in non-ScriptAliased directories than can the pretzel-syntax-spewing-machine that is me.

----------

## Y z

 *rac wrote:*   

> 
> 
> Scrolling back up the thread, it looks like the only difference between those two in your config is the "SetHandler cgi-script" - is the proper handler not being triggered?  Do you have a global "AddHandler cgi-script .cgi" somewhere?

 

Yes, I have.

 *rac wrote:*   

> Oh well.  I wonder what user is attempting to run suexec that isn't in the apache group, because that's the only difference I can think of between having it 4710 and 4711.  nobody?  can't be apache.

 

 *rac wrote:*   

> 
> 
> I'm sure you've read a fair amount of it, but there's a boatload of info at http://httpd.apache.org/docs/; related specifically to your current situation perhaps http://httpd.apache.org/docs/howto/cgi.html can do a better job of explaining running CGI programs in non-ScriptAliased directories than can the pretzel-syntax-spewing-machine that is me.

 

Yes I have, but thanks for the pointers, anyway.

----------

## skweegie

i won't be home for 4-5 hours but the second i do i'll write a quick and dirty guide on how to do this...

quick tips btw:

i'm assuming that you the WHOLE path to your user's DOCUMENT_ROOT is accessible.

(This all relates to editing your /etc/apache/conf/commonapache.conf)

1) is "AddHandler cgi-script .cgi" uncommented?

2) utilizing the runnable script directory in the user's cgi-bin is preffered since that directory can be protected somewhat (ie. not allowing includes and especially indexes which most people seem to like to have for their normal document root but not really a good idea for a directory that can run scripts since any user can just click any cgi file and run it when that directory is indexed) so...the default given in commonplace.apache is sound as is IMHO...

3) this is probably the most important and usually the cause of "Premature end of script headers":

make SURE your cgi script that you intend to run is chmod 755. nething else and it won't run...

cheers

----------

## Y z

 *skweegie wrote:*   

> the default given in commonplace.apache is sound as is 

 

That may be true, but the fact remains that I have to set the suexec mod bits to 4711 instead of the default 4710!!

----------

## skweegie

whoops, didn't read concise enough to see that you did get your script working in ~yz/cgi-bin

note 4710 for suexec is valid and preferred. (you did add user "apache" to the "users: group yes? if not, do so and either stop apache and telinit 1 and then telnit 3 and restart apache or reboot(easier) )

what i meant by #2 in my initial reply is that utilizing a cgi-bin if you allow UserDir is preferred since you can mainly stop Indexing for that directory so you can stop any user from freeclicking and hence running your cgi scripts.

neways, if you want to be able to run cgi scripts anywhere in your user's DOCUMENT_ROOT you can either:

thorugh editing commonapache.conf

1) remove "cgi-bin" from the directory line where you define your user's directories:

instead of:

<Directory /home/*/public_html/cgi-bin>

     Options +ExecCGI -Includes -Indexes

     SetHandler cgi-script

</Directory>

it would be:

<Directory /home/*/public_html>

     Options +ExecCGI -Includes -Indexes

     SetHandler cgi-script

</Directory>

please note that doing it this way would restrict your whole user's DOCUMENT_ROOT to almost the same restrictions as a normal cgi-bin (no Includes nor Indexes)

or

2) easier way and what alot of hosts do that allows their users to run cgi scripts anywhere in their DOCUMENT_ROOT

a) comment out the section above

b) edit the main settings for the user directory settings (the section right above the one i displayed above)

* add +ExecCGI to Options

* add the SetHandler cgi-script to the above

so instead of:

<Directory /home/*/public_html>

    AllowOverride All

    Options MultiViews Indexes Includes FollowSymLinks

    Order allow,deny

    Allow from all

</Directory>

it would be:

<Directory /home/*/public_html>

    AllowOverride All

    Options MultiViews Indexes Includes FollowSymLinks +ExecCGI

    SetHandler cgi-script

    Order allow,deny

    Allow from all

</Directory>

if you do choose option #2, please place an empty DirectoryIndex file (index.html, index.php etc etc) so that you can't view the directory index...

again, make sure any script you intend to run is 755

cheers

----------

## Y z

 *skweegie wrote:*   

> whoops, didn't read concise enough to see that you did get your script working in ~yz/cgi-bin
> 
> note 4710 for suexec is valid and preferred. (you did add user "apache" to the "users: group yes? if not, do so and either stop apache and telinit 1 and then telnit 3 and restart apache or reboot(easier) )
> 
> what i meant by #2 in my initial reply is that utilizing a cgi-bin if you allow UserDir is preferred since you can mainly stop Indexing for that directory so you can stop any user from freeclicking and hence running your cgi scripts.
> ...

 

Thanks for your long and clear answer. I tried both your suggestions, (restarting apache with 

```
/etc/init.d/apache restart
```

. But alas, as soon as I change the mod bits to 4710, the cgi scripts stop working (and yes, they are chmod'ed to 755).

I guess I have to live with it...

Y z

----------

## jaadugar

according to this page (straight from the apache web pages):

http://httpd.apache.org/docs/suexec_1_2.html

they use mode 4711 at the very bottom - so unless

I am wrong I think it's an ebuild bug and the permission

was set wrong (to 4710 instead of 4711)

----------

## rac

 *jaadugar wrote:*   

> I think it's an ebuild bug and the permission
> 
> was set wrong (to 4710 instead of 4711)

 

Have you seen suexec/1469: suexec allows intermediate directories with unsafe permissions?

----------

