System Administration
Showing results for 
Search instead for 
Did you mean: 

suEXEC support for HP Apache

Ralph Grothe
Honored Contributor

suEXEC support for HP Apache


before I give up with that HP port of the Apache webserver, and built it anew from the sources I think I should first try to search for help here.
There must be other admins that managed to enable suEXEC or someone from the HP personnel who knows where I went wrong.

Currently I've got this HP Apache installed on an L-Class running HP-UX 11.00

# swlist|grep -i web
B9416AA HP Apache-based Web Server

Admitedly it isn't the latest (and thus possibly a bit patchy at parts more seldom used, like suEXEC), but the people who demanded an Apache claimed exactly this releaase (probably because they got used to it from another box)

Of course did I read carefully what suEXEC is all about and how it should be set up from the coders' docs here

If I had the sources, and header files (to be snatched when all this HP Apache fumbling continues to be misfortunate) there's also a receipe how to change the preprocessor's declarations directly

But also does the HP depot include instructions on how to activate suEXEC support for their port, as it was built with such.
So I read this document, and followed the instructions

# ll /opt/hpapache2/hp_apache_docs/
-r--r--r-- 1 bin bin 11291 Aug 12 2002 /opt/hpapache2/hp_apache_docs/suexec.adm

So I renamed the suexec.hide binary to suexec and checked that ownership an setuid as well as x-bits were set correctly

# ll /opt/hpapache2/bin/suexec
-rwsr-xr-x 1 root sys 92836 Aug 12 2002 /opt/hpapache2/bin/suexec

The httpd.conf was changed by me at points that looked relevant to me as far as CGI script execution as well as suEXEC support is concerned.
My requirement is to enable suEXEC for user accounts and their CGIs in their $HOME/public_html

To meet these my basic httpd.conf looks like so

LoadModule suexec_module modules/

ScriptAlias /cgi-bin/ "/opt/hpapache2/cgi-bin/"

AllowOverride None
Options None
Order allow,deny
Allow from all

AddHandler cgi-script .cgi .pl

UserDir public_html

AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI

Order allow,deny
Allow from all

Order deny,allow
Deny from all

Not to get interfered by mod_perl I commented these lines (were uncommented before)

# PerlModule ModPerl::Registry
# SetHandler perl-script
# PerlHandler ModPerl::Registry::handler
# Options +ExecCGI
# PerlOptions +ParseHeaders


As you can see from above the default ScriptingAlias in /cgi-bin/ was left untouched.
I only added the AddHandler for cgi-script to scatter ExecCGI here and there for certain locations as for the UserDir

I wrote a small Perl script (see attachment) that only displays EUID and EGID together with the process' environment.

Then I did a syntax check of httpd.conf and stopped and started the webserver.

In the error_log I could see that suEXEC was enabled.
But when I invoked the same showenv.cgi script (ownership of user saz) through the URL
I got a 503 as server response and the error_log recorded a segmentation fault. :-(

# tail -8 logs/error_log
[Mon Jan 17 16:49:50 2005] [notice] caught SIGTERM, shutting down
[Mon Jan 17 16:49:56 2005] [notice] suEXEC mechanism enabled (wrapper: /opt/hpapache2/bin/suexec)
[Mon Jan 17 16:49:56 2005] [notice] Digest: generating secret for digest authentication ...
[Mon Jan 17 16:49:56 2005] [notice] Digest: done
[Mon Jan 17 16:49:56 2005] [notice] HP Apache-based Web Server/2.0.39 (Unix) DAV/2 configured -- r
esuming normal operations
[Mon Jan 17 16:51:33 2005] [error] [client] Premature end of script headers: showenv.cgi

[Mon Jan 17 16:51:34 2005] [notice] child pid 24553 exit signal Segmentation fault (11)
[Mon Jan 17 16:51:39 2005] [error] [client] (3)No such process: cgid daemon is gone; is
Apache terminating?: /opt/hpapache2/cgi-bin/showenv.cgi

Madness, thy name is system administration
James Calfas
Regular Visitor

Re: suEXEC support for HP Apache

suexec works on some versions of Apache and not others.  It doesn't work, for example, on version 2.2.15.  However it does work on later versions, such as 2.4.7.