SuexecUserGroup configured, but suEXEC is disable

I set up in a VM the latest Ubuntu Server 16.04 LTS for testing. Virtualmin installs Apache 2.4, MySQL 5.7, PHP 7.0. After setting it up and checking if is ready, PHP is not running with the webserver. Accessing a php file will get a download file. I tried many things but it seems Virtualmin is not creating any webserver logs in /var/log/virtualmin for checking what is wrong. Checking /var/log/apache there are no errors in those files.

When I give "apache2ctl graceful" command I am getting this error message:

[Sun Jun 12 23:41:38.567178 2016] [so:warn] [pid 3268] AH01574: module dav_module is already loaded, skipping AH00526: Syntax error on line 2 of /etc/apache2/sites-enabled/mydomain.ro.conf: SuexecUserGroup configured, but suEXEC is disabled: Invalid owner or file mode for /usr/lib/apache2/suexec Action 'graceful' failed. The Apache error log may have more information.

It seems something is wrong with suEXEC configuration. Any thoughts?

Status: 
Active

Comments

Howdy -- hmm, what is the output of these commands:

ls -l /usr/lib/apache2/suexec
dpkg -l 'apache2*'
ls /etc/apache2/mods-enabled

For command: ls -l /usr/lib/apache2/suexec

lrwxrwxrwx 1 root root 24 Jun 13 12:15 /usr/lib/apache2/suexec -> /etc/alternatives/suexec

For command: dpkg -l 'apache2*'

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  apache2        2.4.18-2ubun amd64        Apache HTTP Server
un  apache2-api-20 <none>       <none>       (no description available)
ii  apache2-bin    2.4.18-2ubun amd64        Apache HTTP Server (modules and o
ii  apache2-data   2.4.18-2ubun all          Apache HTTP Server (common files)
ii  apache2-doc    2.4.18-2ubun all          Apache HTTP Server (on-site docum
un  apache2-suexec <none>       <none>       (no description available)
ii  apache2-suexec 2.4.18-2ubun amd64        Apache HTTP Server configurable s
un  apache2-suexec <none>       <none>       (no description available)
ii  apache2-utils  2.4.18-2ubun amd64        Apache HTTP Server (utility progr
un  apache2.2-bin  <none>       <none>       (no description available)
un  apache2.2-comm <none>       <none>       (no description available)

For command: ls /etc/apache2/mods-enabled

access_compat.load  authz_host.load  deflate.load  mpm_prefork.conf    ssl.conf
actions.conf        authz_svn.load   dir.conf      mpm_prefork.load    ssl.load
actions.load        authz_user.load  dir.load      negotiation.conf    status.conf
alias.conf          autoindex.conf   env.load      negotiation.load    status.load
alias.load          autoindex.load   fcgid.conf    php7.0.conf         suexec.load
auth_basic.load     dav.load         fcgid.load    php7.0.load
authn_core.load     dav_svn.conf     filter.load   setenvif.conf
authn_file.load     dav_svn.load     mime.conf     setenvif.load
authz_core.load     deflate.conf     mime.load     socache_shmcb.load

PS - this forum is not sending any messages to inform me you replied.

Very strange, I can run a php file in Apache default /var/www/html but not in one created by Virtualmin. I will check default configuration versus Virtualmin. I guess something is happening from SuexecUserGroup "#1001" "#1001" set by Virtualmin.

If there is a virtual server created by Virtualmin Apache2 won't start. It is clear there is something in that conf file which is not correct for Apache.

It looks like part of the output from the package listings was cut off... could you run this command:

dpkg -l apache2-suexec-custom

That will show whether the apache2-suexec-custom is installed, which we want rather than just apache2-suexec.

This is the part you requested:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                           Version              Architecture         Description
+++-==============================-====================-====================-==================================================================
ii  apache2-suexec-custom          2.4.18-2ubuntu3      amd64                Apache HTTP Server configurable suexec program for mod_suexec

I created two phpinfo.php files. One in mydomain.com virtual server created by Virtualmin, the other one in Apache default root which is /var/www/html. Accessing the file in Apache root shows all PHP info's as expected, the other one in mydomain.com is not processing the php file, in browser I get a window for saving the phpinfo.php file, like a download.

This is LAMP version installed on Ubuntu 16.04 LTS by Virtualmin:

  • Server version: Apache/2.4.18 (Ubuntu)
  • mysql Ver 14.14 Distrib 5.7.12, for Linux (x86_64) using EditLine wrapper
  • PHP 7.0.4-7ubuntu2.1 (cli) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

The difference between those two things you created, is that one is using suexec, and the other isn't. What we're trying to do here is discover why suexec isn't working on your system.

What is the output of this command:

ls -l /usr/lib/apache2/suexec-custom

The output is:

-rwsr-xr-- 1 root www-data 18472 Apr 15 21:22 /usr/lib/apache2/suexec-custom

Out of curiosity, is this on a dedicated server, or on a VPS you setup? Or is this on a VPS controlled by a provider, using an image they made?

However, what you could try doing is running this command:

chmod 4755 /usr/lib/apache2/suexec-custom

Does Apache start after that?

Apache2 is working fine. It does restart after running your command as it did before. But I still cannot run PHP with my virtual server. The same download window is coming when requesting a php page. There is nothing in root directory, except that phpinfo.php file.

This is a VMware machine 12 as version. Ubuntu Server is installed without any option, from scratch. Then Virtualmin. I am an advanced user for CentOS and Debian with hundreds of installations, but I never encountered this issue before. In Debian 8 which is close to Ubuntu 16.04 everything works just fine. If you have time please install this combination and see what is going on.

The title of this post matches my problem and I've posted a question to stackoverflow.com about it.

Here's the output of the afore-requested commands:

~# ls -l /usr/lib/apache2/suexec
lrwxrwxrwx 1 root root 24 Aug 12  2019 /usr/lib/apache2/suexec -> /etc/alternatives/suexec
~# dpkg -l 'apache2*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                            Version          Architecture Description
+++-===============================-================-============-=============================================================
ii  apache2                         2.4.38-3+deb10u3 amd64        Apache HTTP Server
un  apache2-api-20120211                              (no description available)
un  apache2-api-20120211-openssl1.1                   (no description available)
ii  apache2-bin                     2.4.38-3+deb10u3 amd64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                    2.4.38-3+deb10u3 all          Apache HTTP Server (common files)
ii  apache2-doc                     2.4.38-3+deb10u3 all          Apache HTTP Server (on-site documentation)
un  apache2-suexec                                    (no description available)
ii  apache2-suexec-custom           2.4.38-3+deb10u3 amd64        Apache HTTP Server configurable suexec program for mod_suexec
un  apache2-suexec-pristine                           (no description available)
ii  apache2-utils                   2.4.38-3+deb10u3 amd64        Apache HTTP Server (utility programs for web servers)
un  apache2.2-bin                                     (no description available)
un  apache2.2-common                                  (no description available)
~# ls /etc/apache2/mods-enabled
access_compat.load  auth_basic.load   authz_host.load  cgi.load      dav_svn.load  env.load     mime.load         php7.3.conf          proxy_connect.load  rewrite.load        ssl.conf
actions.conf        auth_digest.load  authz_svn.load   dav_fs.conf   deflate.conf  fcgid.conf   mpm_prefork.conf  php7.3.load          proxy_http.load     setenvif.conf       ssl.load
actions.load        authn_core.load   authz_user.load  dav_fs.load   deflate.load  fcgid.load   mpm_prefork.load  proxy_balancer.conf  proxy.load          setenvif.load       status.conf
alias.conf          authn_file.load   autoindex.conf   dav.load      dir.conf      filter.load  negotiation.conf  proxy_balancer.load  reqtimeout.conf     slotmem_shm.load    status.load
alias.load          authz_core.load   autoindex.load   dav_svn.conf  dir.load      mime.conf    negotiation.load  proxy.conf           reqtimeout.load     socache_shmcb.load  suexec.load
~# ls -l /usr/lib/apache2/suexec-custom
-rwsr-xr-- 1 root www-data 26696 Oct 15 19:53 /usr/lib/apache2/suexec-custom
Ilia's picture
Submitted by Ilia on Thu, 02/20/2020 - 05:15

Hi,

Start looking at:

/var/log/apache2/suexec.log

Once you don't have packages apache2-suexec and apache2-suexec-pristine installed, which is good (you only need apache2-suexec-custom in your case), I would look at:

/etc/apache2/suexec/www-data

.. and made sure that suexec document root and the suexec userdir suffix really set to /home and public_html accordingly, like this:

/home
public_html

Re /var/log/apache2/suexec.log it's empty.

In the rotated log /var/log/apache2/suexec.log.1 the last entry was a few days ago -- when I upgraded Debian to buster.

Re /var/log/apache2/suexec.log it had public_html/cgi-bin rather than public_hml. I changed it to public_html and restarted apache but phpinfo.php still reports www-data as the user rather than the virtualhost's user.

Upon service apache2 restart /var/log/apache2/error.log shows:

[Thu Feb 20 19:48:22.393077 2020] [suexec:notice] [pid 951] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Thu Feb 20 19:48:22.400503 2020] [so:warn] [pid 951] AH01574: module dav_module is already loaded, skipping
[Thu Feb 20 19:48:22.448583 2020] [mpm_prefork:notice] [pid 952] AH00163: Apache/2.4.38 (Debian) SVN/1.10.4 mod_fcgid/2.3.9 OpenSSL/1.1.1d configured -- resuming normal operations
[Thu Feb 20 19:48:22.448611 2020] [core:notice] [pid 952] AH00094: Command line: '/usr/sbin/apache2'
Ilia's picture
Submitted by Ilia on Thu, 02/20/2020 - 14:13

What is the output of:

cat /etc/apache2/suexec/www-data

.. and

ls -lsa /etc/apache2/suexec/www-data
/var/log/apache2# cat /etc/apache2/suexec/www-data
/home
public_html
# The first two lines contain the suexec document root and the suexec userdir
# suffix. If one of them is disabled by prepending a # character, suexec will
# refuse the corresponding type of request.
# This config file is only used by the apache2-suexec-custom package. See the
# suexec man page included in the package for more details.
/var/log/apache2# ls -lsa /etc/apache2/suexec/www-data
4 -rw-r--r-- 1 root root 356 Feb 20 19:48 /etc/apache2/suexec/www-data
/var/log/apache2#

PS: In #11 above someone edited my markup to remove the code tag and replace it with a superior tag rendering as a scrolling text block. I tried to edit that comment to see what markup tag was used but was not permitted to edit. What is that markup? I didn't see it documented in "More information about text formats(?)".

Ilia's picture
Submitted by Ilia on Thu, 02/20/2020 - 15:56

It would also be useful:

  1. Did it ever worked for you?
  2. If it did, what have you done prior to that, when it stopped. (like enabled some feature, run updates and etc)

Since this problem appeared when I upgraded the Debian version to Buster, and Buster is not yet supported by Virtualmin, I think it best that I just suss this out myself. Thanks for the help you've provided so far.

Ilia's picture
Submitted by Ilia on Fri, 02/21/2020 - 11:54

We support Debian 10 officially by the way.

You are welcome. Have you just tried going to Website Options and trying toggling PHP modes, right? Does it work for you, by the way?

I expect that you have libapache2-mod-fcgid module installed but that is obvious.

For the future always start a new issue instead of commenting on the old one. Many times I checked the initial post for OS version, which is Ubuntu 16.04 and it made very confused.

While creating an issue for support, Debian 10 is not offered as an option.

Hi, I encountered an identical problem while setting up virtualmin on a raspberry pi buster. I noticed that php engine is disabed by default in public_html/

I changed that in /etc/apache2/mods-enabled/php7.3.conf and it worked (at the end, comment those directives as the comments say there)

Also, i still get this error after adding a new server, even if suexec apache module is enabled in webmin

"SuexecUserGroup configured, but suEXEC is disabled: Missing suexec binary /usr/lib/apache2/suexec"

but a workaround to this was to edit the conf of the domain in /etc/apache2/sites-available and remove the SuexeUserGroup line, and it worked, but i am not yet aware of the implications of this change.

Hope this helps someone ps. its first time in my life i setup a webserver with webmin/virtualmin so if i am missing something obvious here i appologise

prasannjeet's picture
Submitted by prasannjeet on Mon, 07/06/2020 - 07:42

I faced similar problem using raspberrypi 4b, and solved it using what was suggested by @maxlumnar above. However, it would be great if someone can elaborate more on the implications or provide an alternate solution. One possible problem that could be faced is if there are different user accounts in the system, as mentioned in this link: https://community.bitnami.com/t/how-to-enable-suexec/49300/4

That change might enable PHP, but run is as the apache user instead of the domain owner. This works, but has security implications on a shared hosting system.