Hi,
I just upgraded tp apache 2.5 from 1.3 and found out that my virtual sites do not work properly. When I try starting the httpd, I get:
User cannot occur within <VirtualHost> section.
I found out that Suexec is disabled by default.
I did a lilttle research on how to enable it, but got lost. I believe that I have to reinstall the package, is this true?
When I look at the apache 2.5 package, I see that there are suexec files, how can I insstall these without recompiling everything?
Following is taken from my httpd.conf file:


NameVirtualHost *:80

<VirtualHost *:80>
User "#1152"
Group "#1014"
ServerName virtuser.com
ServerAlias www.virtuser.com
DocumentRoot /home/virtuser/public_html
ErrorLog /home/virtuser/logs/error_log
CustomLog /home/virtuser/logs/access_log common
ScriptAlias /cgi-bin/ /virtuser/bdavis/cgi-bin/
<Directory /home/virtuser/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
</Directory>
</VirtualHost>

I am also wondering why I have httpd is running with version 2..xx, whereas I used to have apache runnig when I used to have apache 1.3 ?

PS: I am using Debian 3.x...
I will appreciate any suggestion, thanks...

This is me again,
I found this link on how to enable suexec, http://httpd.apache.org/docs-2.0/suexec.html ;however I do not understand the configuring and installing part, WHEN and WHERE do I do this?

Couple of things... Apache is currently at 2.0.53.... not 2.5.

Next... it's not "user" and "group". The directive you want is...

SuexecUserGroup username group

So you just need this one line added to your virtualhost section. Just change the username and group to whatever you want.

Once you have added the directive, you should be able to start apache. Once you do, check to see if you have a "suexec" log. It should be under /var/log, or somewhere else if you have specified an alternate location in your config file. Checking the log, you should see any problems listed. When you successfully execute a script on your website, you should see the name of the script, the user, and the group showing up in the suexec log, or you'll see an error instead.

Donboy,
Sorry, could not reply earlier coz I was at school, appreciate your reply though..Also, I should admit I was sluggish about versioning apache..

Okay,
when I do
SuexecUserGroup nameofthegroup nameoftheuser
if I try to start/stop the apache server, I get error similar to SuexecUserGroup is mispelled..
As I am new to linux world, I am thinking that SuexecUserGroup belongs to a module, which should have been loaded, so right after loading php module I added:

LoadModule php4_module /usr/lib/apache2/modules/libphp4.so
LoadModule suexec_module /usr/lib/apache2/modules/mod_suexec.so

After editing the conf file as above, I could not even save the file to exit it as I gave errors about the module doesnot belong usr/lib/apache2/modules/mod_suexec.c file and/or class...

I think the cause of the error message is that I never enable the module so the server can load..Again if so, how do I enable it?
Please correct me if I am wrong..

Instead of loading, should I have done something similar to adding type as following??

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

If you or anyone can shed some light on my questions, I'd appreciate it..

Ok, try running...

apachectl -l

Which is a lowercase "L". This will list all the modules you have compiled. Here's mine...

[root@slaveone root]# apachectl -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c

You'll note the last one.... mod_so.c which is arguably the most valuable. The reason is because it allows you to include new modules using the config file instead of having to compile them into the base package using configure/make/make install. My assumption is that you DONT have this included in yours.

If that's the case, then you'll want to run configure/make/make install again and be sure to enable mod_so during this step. All you really need to enable are the ones I've listed in my example above. If you enable any others, they will be statically compiled into the apache binary. While this will make your apache binary faster and lighter it will also make it harder to add/remove these modules later becasue you'll have to run configure/make/make install again, which is a royal pain.

My advice would be to include any modules you MUST have (like mod_so and the suexec module) and compile them into the apache binary. The rest, you can plan to include "dynamically" using statements added to the config file.

You can look here for the different options you can give your configure command.

http://httpd.apache.org/docs-2.0/pro...configure.html

Here's my options I used for suexec...

--enable-suexec
--with-suexec
--with-suexec-caller=apache
--with-suexec-docroot=/home
--with-suexec-logfile=/var/log/httpd/suexec.log
--with-suexec-bin=/usr/sbin/suexec
--with-suexec-uidmin=500
--with-suexec-gidmin=100

the suexec caller is the user apache will use in the event that none is specified in your httpd.conf file. The docroot is the part of your tree you want governed by suexec. /home makes sense because normally you probably want to have user's home directories running suexec'd files. The uid and gid minimum are the lowest ID's on the system who are allowed to call suexec. So if you have users beginning at user #500 on your system, you can set this for 500 and all the rest are assumed to be "system" accounts that were created for other purposes and will not be running suexec'd files.

Hope that helps.

First of, Thank you for the reply,
this is what I get after apachectl -l:

Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c

I have mod_so.c, so in general settings in conf file I put:

LoadModule suexec_module /usr/lib/apache2/modules/mod_suexec.so

And in vitual server settings sections I pasted your config since my users' and groups' ids are > 1000.

# Use name-based virtual hosting.
#
NameVirtualHost *:80


--enable-suexec
--with-suexec
--with-suexec-caller=apache
--with-suexec-docroot=/home
--with-suexec-logfile=/var/log/httpd/suexec.log
--with-suexec-bin=/usr/sbin/suexec
--with-suexec-uidmin=500
--with-suexec-gidmin=100

<VirtualHost *:80>
#User "#1152"
#Group "#1014"
SuexecUserGroup #1152 #1014
ServerName users.com
ServerAlias www.users.com
DocumentRoot /home/users/public_html
ErrorLog /home/users/logs/error_log
CustomLog /home/users/logs/access_log common
ScriptAlias /cgi-bin/ /home/users/cgi-bin/
<Directory /home/users/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
</Directory>
</VirtualHost>

I know somewhere I am making a mistake, but I just can not see it, any help will br utmost appreciated...

Thanks...

Hmmm... the only thing I can figure is your user and group needs to be the actual username and groupname instead of their numeric ID's. The User comes first and the group second.

Either that, or your module isn't found at the location you specified.

I try their actual user and group name, no luck...

As for module not being loaded from a specified location, I tried:

less /usr/lib/apache2/modules/mod_suexec.so
"/usr/lib/apache2/modules/mod_suexec.so" may be a binary file. See it anyway?

Does that mean that I have the location??

Also, I do not know if mentioned this earlier or not, but I have apache 1.3.xx laying around the server, do you think it is interfering with anything I am doing here..

Let's say that all fails, I would like to remove all apache related stuff and reinstall it again, but I do not want to lose any of the public_html dirs under home.. How would I do this??
Thanks again....

The two versions sitting on the same machine should not interfere with each other. And it looks like everything is where it belongs.

Did you actually run the configure command again? Or did you just add the module lines to the config file only?

Removing the old apache will not remove your public html directories.

Remind me again... what is the error you're getting? I looked up earlier in the thread but I didn't see it. Are you getting an error when trying to start apache? You should check all of your apache error logs and see what errors are being given when you try to start.

Hey there,

"Did you actually run the configure command again? Or did you just add the module lines to the config file only?">>>>>>>
I just added the lined to conf file..I am sure this is not the way it supposed to be...

After I added the above mentioned lined to the conf file, I tried restarting the server, but I got:

Syntax error on line 1036 of /usr/local/conf/httpd.conf:
Invalid command '--enable-suexec', perhaps mis-spelled or defined by a module not included in the server configuration

Above is the only error I can find..
Thanks in advance again..

Uhhh.... If you have this line...

--enable-suexec

located in your httpd.conf, this is incorrect. You need to remove this line and any like them.

These lines are needed for when you run the --configuire command for apache. They don't go in httpd.conf.

Maybe try removing them and see if it starts.

Hey Donboy,

I remove any line like --enable......
When I try stopping the server, I got:

mail:/usr/local/logs# /usr/local/bin/apachectl stop
Warning: SuexecUserGroup directive requires SUEXEC wrapper.

Obviously I am doing something wrong, but I feel that I am almost there..
When you say --enable and alike commands go with --configuire command for apache, how do I do this at this point? Is it possible??
Thanks again..

Ok, it sounds like you just need to run configure it so it's enabled.

When you installed apache, do you still have the original source? What i mean is, I'm guessing you unpacked a tar.gz file and did...

./configure
make
make install

Is that correct?

If so, you need to go back to the source and run configure again, but with something like this...

./configure \
--enable-suexec \
--with-suexec \
--with-suexec-caller=apache \
--with-suexec-docroot=/home \
--with-suexec-logfile=/var/log/httpd/suexec.log \
--with-suexec-bin=/usr/sbin/suexec \
--with-suexec-uidmin=500 \
--with-suexec-gidmin=100

(notice all of the lines end with a slash except the last one. This is so we continue the same command on subsequent lines)

But the deal is... there could be a LOT more statements you need to add to this configure line. You probably need to look at the link I provided here...

http://httpd.apache.org/docs-2.0/pro...configure.html

and see if there are any statements you need to add or remove. I know this sucks having to read all of these, but it's better to know what you're doing instead of just taking the defaults. By getting specific, you can better secure your system by not enableing things you will never use. You are going to open port 80 on your box. This means, ALL of apache is available to public scrutiny. So you should disable as much of this junk as possibile so you're running only what you need. Just my opinion and advice.

Anyway, run apachectl -l again to see what modules you have included. You can adjust your configure statement to get the desired results.

When you've run the ./configure command with all of those arguments, then run make, make install and you're in business.

Donboy,
THanks a million for your help, only after your tips and tricks I understood what I was doing..
The whole apache manual began to make sense..thanks again..

I have the same error
Warning: SuexecUserGroup directive requires SUEXEC wrapper

Just I rent a VPS with debian and VHCS Control Panel. By default suexec is disabled.

I put in virtual host definition something like
SuexecUserGroup vu2001 vu2001



After I put
In /etc/apache2/mods-available I found suexec.load and I put a symlink in /etc/apache2/mods-enabled
suexec.load contain:
LoadModule suexec_module /usr/lib/apache2/modules/mod_suexec.so
Also I found /usr/lib/apache2/suexec2

I run:


ovidnet:/usr/lib/apache2# ./suexec2 -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

all the paths seems to be ok, only the userdir is htdocs not public_html

apache2ctl -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_log_config.c
mod_logio.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_negotiation.c
mod_dir.c
mod_alias.c
mod_so.c

phpinfo(); returns

Loaded Modules core mod_access mod_auth mod_log_config mod_logio mod_env mod_setenvif prefork http_core mod_mime mod_status mod_autoindex mod_negotiation mod_dir mod_alias mod_so mod_cgi mod_dav mod_php4 mod_rewrite mod_suexec mod_userdir


My question is what can I to to bind apache with suexec2 to work corectly ?
I need to recompile apache ?
Thanks