Re: [webmin-l] Virtualmin GPL 3.32 needs mod_suexec enabled - issues

[Jamie C. <jca...@we...>]

On 26/Jan/2007 22:17 Thomas Leavitt wrote ..
> Looked through the mailing list archive and didn't see any comments 
> along the lines below... apologies if I missed them... can't read 
> everything that flies across the list.
> 
> a) Mandriva 2006 users should know that enabling mod_suexec requires 
> editing this configuration file: /etc/httpd/modules.d/69_mod_suexec.conf
> and uncommenting the lines there... WebMin / VirtualMin does not appear
> to be aware of this, and thus mucking around in it is futile

If you enable an Apache module like this, it may be necessary to go
to Webmin's Apache Webserver module, click on Re-Configure Known Modules,
and click Configure. Then Virtualmin will realize that is installed.

> b) more importantly, umm... suddenly making this a requirement for 
> VirtualMin to run, and then encouraging people to just enable this seems
> to be somewhat problematic... if you read the documentation from the 
> Apache Group on this, they are pretty clear that if you don't know what
> you're doing, you shouldn't enable this. See page below:

It's not really a requirement, unless you configure Virtualmin to 
add Apache directives for suexec. This is done on the Server Templates
page, in the Apache website section, using the 'Automatically add appropriate
SuExec directive?' field.

Some older Virtualmin releases didn't check that mod_suexec was enabled
even if you requested it..

> http://httpd.apache.org/docs/2.0/suexec.html
> 
> Me, o.k., I can probably handle this, given that I've been sysadmining
> since 1994... BUT, I made the apparently naive assumption that if 
> enabling this was significant, given that this was an apparently new 
> requirement, that something would pop up somewhere in VirtualMin to say,
> "Uh, hey - enabling this can bleep up your CGI scripts royally. Make 
> sure your apache suexec configuration is correct and everything still 
> works after you enable this."
> 
> One of my hosting clients just emailed me to say that all of his cgi 
> scripts were suddenly producing error 500 messages... which, after some
> investigation, seems to be a common side effect of a misconfigured 
> mod_suexec (all I did to enable it was to uncomment a single line in the
> file above)... the suexec.log file is filled with entries of this sort,
> as a result:
> 
> 
> [2007-01-18 16:20:17]: uid: (0/root) gid: (108/108) cmd: mt-tb.cgi
> [2007-01-18 16:20:17]: cannot run as forbidden uid (0/mt-tb.cgi)
> 
> This is the line I uncommented from the modules.d conf file:
> 
>  SuexecUserGroup root apache

That's rather surprising - normally this is added to <virtualhost>
sections that need it, rather than globally. That must be something
special Mandrake does..

> I haven't put that much time into it, but nothing immediately leaped out
> at me about how to fix this problem when I glanced through the 
> documentation... I'm wondering if someone on this list can provide me 
> with a quick fix or insight into what I need to modify... I was a bit 
> surprised and apprehensive about enabling this, given that I've never 
> used it before, and it appears my fears were justified.

If you don't need suexec and have been running fine without it,
turn off the Apache module and configure Virtualmin on the Server Templates
page to not add suexec directives.

 - Jamie