These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for suexec configured to run under /var/www ... on the new forum.
Hallo,
I am trying to run Virtualmin on a Debian 4.0 Etch server, but am getting this error:
The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin base directory is /home. CGI and PHP scripts run as domain owners will not be executed.How do I configure Suexec, so that scripts can be run under /home ?
Thank you !
Kind regards from Germany
Mebus<br><br>Post edited by: Mebus, at: 2008/09/29 04:45
Well, that might happen if your system has the Debian Apache packages rather than the Virtualmin packages.
The Virtualmin version of suexec is compiled with support to run those in /home.
How did you install Virtualmin, out of curiosity?
In /etc/apt/sources.list, do you see an entry for the Virtualmin repositories, at software.virtualmin.com?
-Eric
I downloaded the Webmin and Virtualmin deb packages from webmin.com and installed them via dpkg -i.
Anyway I have found a solution to my problem by recompiling the module:
http://planetozh.com/blog/2007/10/rebuilding-suexec-with-different-optio...
http://swelltech.com/support/virtual-servers/index.html#apache
Thanks anyway or is there a better solution ?
Mebus
Ahh, there's actually an install.sh script for installations that actually pulls in all the dependencies and such:
http://webmin.com/vinstall.html
Don't run that on a working system, that's just for future reference ;-)
In the meantime -- yes, you could recompile suexec, though if you just installed the Apache packages from the Virtualmin repository, that'd handle your issue too.
It sounds like you may be using the GPL version, so the packages for that can be found at:
http://software.virtualmin.com/gpl/
For the Pro version, just drop the "gpl" from the URL above, and enter your serial and license key numbers when prompted.
-Eric
<div class='quote'>This module is already enabled!</div>
Mebus
Hey Mebus -- when you get "Warning: SuexecUserGroup directive requires SUEXEC wrapper.", are you seeing any errors in the Apache error_log?
The suexec module may be failing to load, in which case it may send it's error into the logs.
-Eric
I ran into a similiar problem just by updating virtualmin from 3.60 to 3.62. Actually I'm always in fear, that the upgrade breaks something.
Now rechecking the configuration ends with a complaint that suexec is not available on my system...
I didn't change anything in between. What happened?
So I seem not to run Virtualmin Apache (I have no clue what else)? How can I replace the existing with it?
Well, as Joe's post mentions above, nothing "changed" -- except that Virtualmin tests the configuration of your system better now :-)
Somehow or another, you don't have Virtualmin's Apache packages, so the suexec binary on your system isn't pointing to the right place.
You can solve that by:
1. Disabling suexec in Virtualmin
2. Use an suexec binary that points to /home rather than /var/www -- an easy way to do that is to use the Virtualmin Apache packages from software.virtualmin.com
Seeing as your system is otherwise working, that implies you aren't using suexec, so the quickest solution might just be to disable that. You can do so in System Settings -> Server Templates -> Default -> Apache Website, then make sure "Automatically add appropriate SuExec directive" is set to "No".
-Eric
<div class='quote'>I ran into a similiar problem just by updating virtualmin from 3.60 to 3.62. Actually I'm always in fear, that the upgrade breaks something.
Now rechecking the configuration ends with a complaint that suexec is not available on my system...</div>
Nothing (new) is broken! The system is still working just as it always has!
These are configuration checks...please don't let these warnings stop you from upgrading. You should always run the latest version of the software. The configuration checks are getting better at telling you things that might be wrong with your configuration...they are not changing your system or breaking it in any way.
How can we make that more clear? (I'm approaching a panicked state now that I'm realizing that people might not upgrade for fear of seeing these kinds of messages in the configuration check. Do not fear greater knowledge about your system. Please!)
--
Check out the forum guidelines!
I am not talking about the Webmin module for Apache. That is in the base install of webmin. Modules only function, I know, is to interact with the programs setup files, to install them if they are not installed, or reconfigure to see installations that are different from the norm. I had to do that routinely with setting up Apchie2 to work with Webmin.
What I am referring to is the fallowing.
When you go to a Webmin module, if the program the module is supposed to control is not installed, it will ask if you wish to install the program. The module calls apt-get and installs the program. It will usually move the module from unused to the appropriate category.
The link to the module is usually given on the failed program check dialog. Not the "The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin base directory is /home. CGI and PHP scripts run as domain owners will not be executed." error though.
As for the install script it will not work on my system. Complains that my os is not supported. So that option is not in the works unless it has an override to allow installation on a Debian system anyway.
Shanta
Seem to be going down a dead end. And I need to get things working right. So I will to my back up server. CGI because of the suexec problems are already on that server anyway. My plan.
Backup all domains locally
reinstall the OS .
download the install script and start there as the installation via apt-get dose not work on this server.
script failed, incorrectly reported os
did find out what file the chouser script was looking at and it is as fallows
/etc/issue Debian GNU?Linux stable \n \l
next I used
apt-get install virtualmin-base
Now installing.
Shanta
Seem to be going down a dead end. And I need to get things working right. So I will to my back up server. CGI because of the suexec problems are already on that server anyway. My plan.
Backup all domains locally
reinstall the OS .
download the install script and start there as the installation via apt-get dose not work on this server.
script failed, incorrectly reported os
did find out what file the chouser script was looking at and it is as fallows
/etc/issue Debian GNU?Linux stable \n \l
next I used
apt-get install virtualmin-base
Now installing.
Shanta
Well now it is totally out.
Try again. from the fresh install.
all attempts are a bust so far. I will try again.
This time I will update and upgrade the install with apt-get before any attempt to install webmin or virtualmin.
What exactly should
/etc/ issue and Debian_version look like for the setup script to do its job?
Shanta
Well! I got the script to work finally!
It did not like they way that the redwood debian_version was set up. put 4.0 in and it ran.
Failed on first round.
Had to remove my previous attempt to install virtualmin-base did that with apt-get remove and the script ran to completion. Now I will test the install.
Shanta
First round of testing showed that MySQL not install Doing so now
quick check of mysql showed that it was installed.
Rechecking webmin config now shows that it is up an running.
Now to install my site backups.
Hummmm Seems that non of the backups I had beem makeing are backups. webmin says
Restore failed : The specified source does not contain any domains, or is not a Virtualmin backup
When one looks in the file there is all the directories and data in the domain.
Why is webmin not seeing these backups as backups?
It seems that the file selection dialog is not working right. It requres you to select a file not a direcotry. I removed the filename and it worked.
for most I should say the key one it failed on the tar file for the home directory and stopped.
getting closer
I'm not sure I understand what problem you're having? What file selection dialog? What are you doing, and what is happening that isn't right (and is there an actual error message you can give us)?
--
Check out the forum guidelines!
I am attempting to restore the backups I made to my server this morning. When you click on ftp or upload file it gives the file field to be filled in with a url to the file. If you use the browse or ... button it expects a file not a directory to return you to the brower and fill in the the box for you.
Selecting any of the files in the restore directory ie domain.com and it will tell you that it is not a valid file I copied the error in an earlier post.
Delete the file name and submit and virtualmin reads the directory and returns you a list of the domains you wish to restore.
I have gotten one to restore but not all The most important one is reporting an error in the tar file for the home dir and stopping
I am now attempting another round of restoring.
Now it is complaining
Restore failed : DBI connect failed : Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
I will try to check that.
MySQL was not started
started it and it continued stopping at failed to create postgress Alias file
I back paged removed the domains that install and started again.
It seems that the restore fails randomly Mostly with tar file failure. removing installed domain seems to get on to the next.
unfortunately the user home directories did not get restored fortunately the are in my daily incremental though I will lose several hours of mail. I will look again into the full backup I did earlier today
I just tried to restore from directory on my local box that I do incremental restores to. The file selection dialog will only allow a specific file and NOT let you select the dir or let you edit the url. Update fails stating that the file is not a valid restore file.
How do you restore mail from this incremental backups?
ubuntu8.04 lt whatever it is this is a fresh install and get this error trying to disable suexec. also install wat done using the intaller of pro that i have linked from my perchase...
Failed to save server template : PHP scripts cannot be run as the domain owner unless suexec is enabled
seen refrences to virtualmin`s apache module but cant seem to find it.
You can enable suexec by going into System Settings -> Server Templates -> Default Template -> Apache Website, and make sure "Automatically add appropriate SuExec directive" is set to "yes".
-Eric
I am having a similar problem too, I have tried to install the apache module via the "webmin" -> "webmin configuration" -> "webmin modules: -> "standard module from www.webmin.com
it installed successfully and I restarted apache
then I tell it to re-check config
and I get this:
Mail server Postfix is installed and configured.
The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin base directory is /home. CGI and PHP scripts run as domain owners will not be executed.
.. your system is not ready for use by Virtualmin.
I do not know what to do beyond this.
Can you help me.
Yeah, the problem is that you have your distributions version of Apache installed, rather than the Virtualmin version. Virtualmin's version has suexec pointed at the correct location.
Your options are to either install the Apache packages from Virtualmin's repository, or to go into the Apache Website section of the server templates and disable suexec support if you don't need it.
-Eric
ok, I dont want to sound stupid, but how do I install apache packages from your repository ? I thought that is what I have been doing by installing the apache module via the "webmin" -> "webmin configuration" -> "webmin modules: -> "standard module from www.webmin.com
but doing that has had no positive consiquence on the outcome.
how do I get this thing working the right way ? How do i correctly install all the apache modules from the virtualmin repository ?
Ahh, that installs the Webmin Apache module (which is a piece of Perl code to assist in managing Apache), rather than the actual system Apache package.
What distribution are you using?
Sometimes, it's as simple as logging in from the command line, and typing "yum install httpd" or "apt-get install apache2".
-Eric
Virtualmin Theme version: 6.7
Virtualmin version: 3.66
Operating system: Redhat Linux Fedora 9
If your system is not yet in production, and it is one of our supported systems, I would strongly recommend you use our automated install script found on the Download page here at Virtualmin.com. It sounds like a manual installation is probably <i>not</i> going to be your idea of a good time (it isn't my idea of a good time, and I've done it dozens of times, and understand how it all works).
--
Check out the forum guidelines!
I would love to use a install script but I am using fedora core 9
[root@seatechproducts craig]# yum install httpd
Loaded plugins: refresh-packagekit
Setting up Install Process
Parsing package install arguments
Package httpd-2.2.8-3.i386 already installed and latest version
Nothing to do
when I start apache I get this message:
Failed to start service :
Starting httpd: [FAILED]
and then in my setroubleshoot browser I get this:
Summary:
SELinux is preventing httpd (httpd_t) "append" to ./newblueworld.com_error_log
(var_log_t).
Detailed Description:
SELinux is preventing httpd (httpd_t) "append" to ./newblueworld.com_error_log
(var_log_t). The SELinux type var_log_t, is a generic type for all files in the
directory and very few processes (SELinux Domains) are allowed to write to this
SELinux type. This type of denial usual indicates a mislabeled file. By default
a file created in a directory has the gets the context of the parent directory,
but SELinux policy has rules about the creation of directories, that say if a
process running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file
(./newblueworld.com_error_log) was created with the wrong context, this domain
will be denied. The usual solution to this problem is to reset the file context
on the target file, restorecon -v './newblueworld.com_error_log'. If the file
context does not change from var_log_t, then this is probably a bug in policy.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against the selinux-policy package. If it does change, you can try your
application again to see if it works. The file context could have been
mislabeled by editing the file or moving the file from a different directory, if
the file keeps getting mislabeled, check the init scripts to see if they are
doing something to mislabel the file.
Allowing Access:
You can attempt to fix file context by executing restorecon -v
'./newblueworld.com_error_log'
Fix Command:
restorecon './newblueworld.com_error_log'
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:var_log_t:s0
Target Objects ./newblueworld.com_error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host seatechproducts.net
Source RPM Packages httpd-2.2.8-3
Target RPM Packages
Policy RPM selinux-policy-3.3.1-121.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mislabeled_file
Host Name seatechproducts.net
Platform Linux seatechproducts.net 2.6.25.11-97.fc9.i686 #1
SMP Mon Jul 21 01:31:09 EDT 2008 i686 i686
Alert Count 1
First Seen Wed 25 Feb 2009 06:49:59 AM PST
Last Seen Wed 25 Feb 2009 06:49:59 AM PST
Local ID c4c237bb-825a-48e3-89c9-d9939c7324c1
Line Numbers
Raw Audit Messages
host=seatechproducts.net type=AVC msg=audit(1235573399.840:250): avc: denied { append } for pid=11573 comm="httpd" name="newblueworld.com_error_log" dev=sda3 ino=1745020 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
host=seatechproducts.net type=SYSCALL msg=audit(1235573399.840:250): arch=40000003 syscall=5 success=no exit=-13 a0=b95626b8 a1=8441 a2=1b6 a3=8441 items=0 ppid=11572 pid=11573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
when I start apache I get this message:
Failed to start service :
Starting httpd: [FAILED]
and then in my setroubleshoot browser I get this:
Summary:
SELinux is preventing httpd (httpd_t) "append" to ./newblueworld.com_error_log
(var_log_t).
Detailed Description:
SELinux is preventing httpd (httpd_t) "append" to ./newblueworld.com_error_log
(var_log_t). The SELinux type var_log_t, is a generic type for all files in the
directory and very few processes (SELinux Domains) are allowed to write to this
SELinux type. This type of denial usual indicates a mislabeled file. By default
a file created in a directory has the gets the context of the parent directory,
but SELinux policy has rules about the creation of directories, that say if a
process running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file
(./newblueworld.com_error_log) was created with the wrong context, this domain
will be denied. The usual solution to this problem is to reset the file context
on the target file, restorecon -v './newblueworld.com_error_log'. If the file
context does not change from var_log_t, then this is probably a bug in policy.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against the selinux-policy package. If it does change, you can try your
application again to see if it works. The file context could have been
mislabeled by editing the file or moving the file from a different directory, if
the file keeps getting mislabeled, check the init scripts to see if they are
doing something to mislabel the file.
Allowing Access:
You can attempt to fix file context by executing restorecon -v
'./newblueworld.com_error_log'
Fix Command:
restorecon './newblueworld.com_error_log'
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:var_log_t:s0
Target Objects ./newblueworld.com_error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host seatechproducts.net
Source RPM Packages httpd-2.2.8-3
Target RPM Packages
Policy RPM selinux-policy-3.3.1-121.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mislabeled_file
Host Name seatechproducts.net
Platform Linux seatechproducts.net 2.6.25.11-97.fc9.i686 #1
SMP Mon Jul 21 01:31:09 EDT 2008 i686 i686
Alert Count 1
First Seen Wed 25 Feb 2009 06:49:59 AM PST
Last Seen Wed 25 Feb 2009 06:49:59 AM PST
Local ID c4c237bb-825a-48e3-89c9-d9939c7324c1
Line Numbers
Raw Audit Messages
host=seatechproducts.net type=AVC msg=audit(1235573399.840:250): avc: denied { append } for pid=11573 comm="httpd" name="newblueworld.com_error_log" dev=sda3 ino=1745020 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
host=seatechproducts.net type=SYSCALL msg=audit(1235573399.840:250): arch=40000003 syscall=5 success=no exit=-13 a0=b95626b8 a1=8441 a2=1b6 a3=8441 items=0 ppid=11572 pid=11573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
<b>andreychek wrote:</b>
<div class='quote'>Well, as an FYI, this stuff you're running into is all corrected when using a distribution that works with the install script :-)</div>
I ran into this problem today with the latest Virtualmin install script and a fresh install of Debian Etch.
Yikes, see, that shouldn't happen! :-)
Are you sure it's Etch you have there, and not Lenny?
Some folks had Etch inadvertently upgrade to Lenny, which caused the wrong packages to get pulled in.
-Eric
Yup, it's Etch and not Lenny.
Try the following:
apt-get install apache2
For some reason, apt-get won't upgrade to our package during the script run sometimes. I don't know why. But, the lenny version of install.sh won't need to install a custom apache2, so it can't possibly go wrong (I hope).
--
Check out the forum guidelines!
That did it, Joe. Thanks! I ran aptitude install apache2, was told that it was broken and proceeded to install it. Re-check Config checks out fine after re-enabling SuExec.
Okay, but what's this:
<div class='quote'>
server:~# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)...Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
waiting Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
.
server:~#
</div>
Mebus
Howdy,
Sounds like Virtualmin has been configured to add in the SuexecUserGroup directives, but Apache may be missing the suexec module.
You can enable suexec support in Apache with:
a2enmod suexec
And then restart Apache.
That will only work if you're using an Suexec compiled with /home of course.
-Eric
Hi,
I am having the same issue but on CentOS 5.2. What packages do i need from http://software.virtualmin.com/gpl/centos/5.2/i386/?
Best regards
nic
Well, the suexec binary comes with the httpd package, so you'll at the very least need that. It changes very little, so there shouldn't be a problem in installing that in place of your current httpd package.
The catch in just downloading those is that when updates come out, you won't get them... ideally, you'd want to setup the VM repository by setting it up in /etc/yum.repos.d.
It strikes me that perhaps we need a document containing steps for fixing this particular predicament :-)
-Eric
Hi Mebus, hi all,
after running into the same problem, I crawled the net for solutions. This did the trick: (Found on http://bliki.rimuhosting.com/space/virtualmin+notes)
<div class='quote'>On Debian disable suexec in Apache.
From the main virtualmin configuration page, click on the "Edit Server Template" button. Click on the "Default Settings" template link in the table on the next page. In the "edit template section" at the top of that page, choose "Apache website". Click the radio button to no, where it says "Automatically add appropriate SuExec directive?".</div>
BTW, I'm using Virtualmin Pro.
This issue appeared just after upgrading to Virtualmin 3.62 and I'm somewhat dissappointed that there is no support from the Virtualmin-Team on this topic! Re-Compiling apache is not acceptable!
Have fun,
Michael
Howdy,
There's no need to recompile Apache.
The problem is that the Virtualmin Apache packages aren't installed -- that's something that the install.sh script handles during installation.
Since you aren't using suexec, disabling that feature will work fine as Joe mentioned in another thread.
If you'd like to use suexec, no problem, you'll just need to install the Virtualmin Apache from sofware.virtualmin.com.
-Eric
<div class='quote'>I'm somewhat dissappointed that there is no support from the Virtualmin-Team on this topic!</div>
I'm sorry you feel like there hasn't been support on this topic. But, for what it's worth, Eric and I have both answered this same question in a half dozen threads--in all cases in the best way we could, based on the knowledge we were given. The possible solutions are:
Disable suexec usage in Virtualmin
Use a suexec binary that will work with your configuration in Virtualmin
That's what we've said every time we've been asked this question (or its minor variants). This new check and its result is legitimate--you really can't use suexec, if it isn't built appropriately for where your home directories are. It's just that we were never testing for it before now...but we found that it was a very common source of questions and support issues. It's not a false positive, and we thought you'd want to know about the problem. Perhaps the error message is not clear enough?
What could we be doing differently here that would give you a feeling of getting support from us?
--
Check out the forum guidelines!
My system say that I have webmins version of apache installed. I was in stalled by webmin. Is there a diffrence between webins version and virtualmins?
Do I have to Uninstall Apache and reinstall?
Shanta
Hey Shanta,
I don't recall if you're using CentOS/RHEL or Ubuntu/Debian, but I'm curious of the package names you have installed.
So if it's CentOS/RHEL that you have, what's the output of this:
rpm -qa | grep httpd
And if it's Ubuntu/Debian, what does this show:
dpkg -l 'apache*'
Thanks,
-Eric
<div class='quote'>My system say that I have webmins version of apache installed. I was in stalled by webmin. Is there a diffrence between webins version and virtualmins?</div>
There is no "Webmin version" of Apache. Webmin.com has no software repositories for any non-Webmin software. When you install software using Webmin's Software Packages module, it uses whatever the native package manager for your operating system is, like yum or apt-get. It has no way of knowing what version is being installed--whatever software repositories your system is configured to use is where the packages will come from.
If you installed Virtualmin using the automated install script found here at Virtualmin.com (install.sh, found on the download page or the serial numbers page, if you have Professional), it will have setup the package manager to use our software repositories, and will (usually, unless there are errors) install our Apache version. If you did not use the install script, you almost certainly do not have our Apache version (and this warning during configuration check indicates you don't).
<div class='quote'>Do I have to Uninstall Apache and reinstall?</div>
No. Just upgrade to our Apache package. That is, assuming you want to use suexec. If you don't care, just leave it the way it is and turn off suexec in Virtualmin.
--
Check out the forum guidelines!
I am running a fresh install of Debian. I set the sources list to include the virturalmin repository and installed each module as it tested the install using webmin.
When I went to the Virtualdmin update link off the status page and it showed that apache came from webmin. I even copied the lines to a message I sent to another thread on this topic. I don't see it now after searching.
On checking the updates page it now shows the Debian version installed.
This whole install have been nothing but problematic I was hoping that it was a faulty install that was causing my previous mail, and cgi problems. I even used webmin to install all modules during the testing process.
It is the public version so I guess that is a possible reason why.
On ward. I just did an apt-get update and it says that all my programs are up to date. Should I remove apache and try installing again?
Pages