Description of problem: Even without loading suexec, mod_fcgid appears to want to invoke suexec when executing scripts in UserDirs. But because the wrapper is not located/owned by the user, the script refuses to be executed. Version-Release number of selected component (if applicable): mod_fcgid-2.2-12.fc11.x86_64 How reproducible: Every time. Steps to Reproduce: 1. Enable mod_fcgid 2. Configure to serve PHP scripts 3. Put PHP script in UserDir and try to run it. Actual results: Internal Server Error Expected results: Output from PHP script Additional info: I will attach a simple httpd.conf that shows the problem. Put a simple test.php script in the public_html dir of your choice and /var/www/html/ for testing. Apache error_log: [Wed Sep 16 22:58:06 2009] [notice] mod_fcgid: call /var/www/html/test.php with wrapper /usr/bin/php-cgi [Wed Sep 16 22:58:13 2009] [notice] mod_fcgid: call /home/drees/public_html/test.php with wrapper /usr/bin/php-cgi suexec policy violation: see suexec log for more details Apache suexec log: [2009-09-16 22:58:13]: uid: (500/drees) gid: (100/users) cmd: php-cgi [2009-09-16 22:58:13]: command not in docroot (/usr/bin/php-cgi)
Created attachment 361428 [details] httpd.conf
OK, after bashing my head against this issue over the past couple days, I finally figured out that renaming the suexec binary seems to avoid suexec enabling. The problem is that the next httpd upgrade will replace the suexec binary. Surely there's should be a configuration option to completely disable suexec? I would have thought that disabling the suexec module would have been enough. (I guess at this point this is more of a httpd bug than a mod_fcgid bug, too!)
There was some related discussion upstream a while back: http://www.mail-archive.com/mod-fcgid-users@lists.sourceforge.net/msg00154.html Unfortunately development of mod_fcgid appears to have come to a halt around that time too.
Yeah, an option like that looks like it would do the trick. I seem to recall reading somewhere that mod_fcgid was getting merged upstream into the next major Apache release?
Hmm, you're right! http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/README-FCGID?view=markup
There's also an upstream bug on mod_suexec that may be related: https://issues.apache.org/bugzilla/show_bug.cgi?id=42175 I've built some mod_fcgid packages from the new upstream svn at apache.org: http://mirror.city-fan.org/ftp/contrib/websrv/ These don't resolve your problem unfortunately but it's in heavy upstream development at the moment so the best option might be to raise this as a bug on the dev.org list and it might get fixed for the next release.
After doing more reading, it's not quite clear what the actual bug is as it seems that there are a couple issues here: Enabling suEXEC is a server-wide "configuration" issue. Apache detects at startup whether or not suEXEC is enabled by looking for the suexec binary in the appropriate spot with the appropriate permissions. To disable it, either change the permissions or remove the binary. Possible resolutions would be to enhance suEXEC to allow the enabling/disabling of suEXEC in the configuration file or on the command line, or to modify the Apache startup scripts to look for a configuration value in /etc/sysconfig/httpd and enable/disable suexec appropriately. I don't think this is only a mod_fcgid bug - I imagine that this would affect anyone trying to exec scripts in the UserDir folders and just wanted them executed as the Apache user instead of the User's folder.
Anyway, I opened up discussion on the httpd-dev list: http://marc.info/?l=apache-httpd-dev&m=125374657506543&w=2 We'll see what turns up. Good to see that development is pretty active on it over there right now.
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Affects F12 the same. Haven't tried F13 but I don't expect it to be any different.
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Still the same on F13.
Upstream is adding a facility to enable/disable Suexec globally in the httpd.conf file in httpd 2.4, and will probably backport this to the next 2.2.x release as well: http://marc.info/?l=apache-httpd-dev&m=129043360310643&w=2 Will that address your issue?
Sorry for the delay in responding, but yes, this appears that it would indeed solve this bug. (Also updating to F14, still affects F14 as well).
Looks like mod_fcgid may be bundled with httpd 2.4 too...
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping