[webmin-l] Virtualmin GPL 3.32 needs mod_suexec enabled - issues

[Thomas L. <th...@th...>]

Looked through the mailing list archive and didn't see any comments 
along the lines below... apologies if I missed them... can't read 
everything that flies across the list.

a) Mandriva 2006 users should know that enabling mod_suexec requires 
editing this configuration file: /etc/httpd/modules.d/69_mod_suexec.conf 
and uncommenting the lines there... WebMin / VirtualMin does not appear 
to be aware of this, and thus mucking around in it is futile

b) more importantly, umm... suddenly making this a requirement for 
VirtualMin to run, and then encouraging people to just enable this seems 
to be somewhat problematic... if you read the documentation from the 
Apache Group on this, they are pretty clear that if you don't know what 
you're doing, you shouldn't enable this. See page below:

http://httpd.apache.org/docs/2.0/suexec.html

Me, o.k., I can probably handle this, given that I've been sysadmining 
since 1994... BUT, I made the apparently naive assumption that if 
enabling this was significant, given that this was an apparently new 
requirement, that something would pop up somewhere in VirtualMin to say, 
"Uh, hey - enabling this can bleep up your CGI scripts royally. Make 
sure your apache suexec configuration is correct and everything still 
works after you enable this."

One of my hosting clients just emailed me to say that all of his cgi 
scripts were suddenly producing error 500 messages... which, after some 
investigation, seems to be a common side effect of a misconfigured 
mod_suexec (all I did to enable it was to uncomment a single line in the 
file above)... the suexec.log file is filled with entries of this sort, 
as a result:


[2007-01-18 16:20:17]: uid: (0/root) gid: (108/108) cmd: mt-tb.cgi
[2007-01-18 16:20:17]: cannot run as forbidden uid (0/mt-tb.cgi)

This is the line I uncommented from the modules.d conf file:

 SuexecUserGroup root apache

I haven't put that much time into it, but nothing immediately leaped out 
at me about how to fix this problem when I glanced through the 
documentation... I'm wondering if someone on this list can provide me 
with a quick fix or insight into what I need to modify... I was a bit 
surprised and apprehensive about enabling this, given that I've never 
used it before, and it appears my fears were justified.

I wonder how many other folks have enabled this, only to run into the 
same problem?

Regards,
Thomas Leavitt

-- 
Thomas Leavitt - th...@th... - 831-295-3917 (cell)

*** Independent Systems and Network Consultant, Santa Cruz, CA ***