Apache Security - Ivan Ristic [84]
Table 6-2. suEXEC error messages
Error message
Description
User mismatch (%s instead of %s)
The suEXEC binary can only be invoked by the user specified at compile time with the --with-suexec-caller option.
Invalid command (%s)
The command begins with /, or begins with ../, or contains /../. None of these are allowed. The command must be in the current working directory or in a directory below it.
Invalid target user name: (%s)
The target username is invalid (not known to the system).
Invalid target user id: (%s)
The target uid is invalid (not known to the system).
Invalid target group name: (%s)
The target group name is invalid (not known to the system).
Cannot run as forbidden uid (%d/%s)
An attempt to execute a binary as user root was made or the uid is smaller than the minimum uid specified at compile time with the --with-suexec-uidmin option.
Cannot run as forbidden gid (%d/%s)
An attempt to execute a binary as group root was made or the gid is smaller than the minimum gid specified at compile time with the --with-suexec-gidmin option.
Failed to setgid (%ld: %s)
Change to the target group failed.
Failed to setuid (%ld: %s)
Change to the target user failed.
Cannot get current working directory
suEXEC cannot retrieve the current working directory. This would possibly indicate insufficient permissions for the target user.
Cannot get docroot information (%s)
suEXEC cannot get access to the document root. For nonuser requests, the document root is specified at compile time using the --with-suexec-docroot option. For user requests (in the form of ~username), the document root is constructed at runtime when the public subfolder defined with the --with-suexec-userdir option is appended to the user's home directory.
Command not in docroot (%s)
The target file is not within the allowed document root directory. See the previous message description for a definition.
Cannot stat directory: (%s)
suEXEC cannot get information about the current working directory.
Directory is writable by others: (%s)
Directory in which the target binary resides is group or world writable.
Cannot stat program: (%s)
This probably means the file is not found.
File is writable by others: (%s/%s)
The target file is group or world writable.
File is either setuid or setgid: (%s/%s)
The target file is marked setuid or setgid.
Target uid/gid (%ld/%ld) mismatch with directory (%ld/%ld) or program (%ld/%ld)
The file and the directory in which the file resides must be owned by the target user and target group.
File has no execute permission: (%s/%s)
The target file is not marked as executable.
AP_SUEXEC_UMASK of %03o allows write permission to group and/or other
This message is only a warning. The selected umask allows group or world write access.
(%d)%s: exec failed (%s)
Execution failed.
Using suEXEC outside virtual hosts
You can use suEXEC outside virtual hosts with the help of the mod_userdir module. This is useful in cases where the system is not (or at least not primarily) a virtual hosting system, but users want to obtain their home pages using the ~username syntax. The following is a complete configuration example. You will note suEXEC is not explicitly configured here. If it is configured and compiled into the web server, as shown previously, it will work automatically:
UserDir public_html
UserDir disabled root
# Give users some control in their .htaccess files. AllowOverride AuthConfig Limit Indexes # Conditional symbolic links and SSIs without execution. Options SymLinksIfOwnerMatch IncludesNoExec # Allow GET and POST. Order Allow,Deny Allow from all # Deny everything