PROBLEM DESCRIPTION
suEXEC is misconfigured on Mandrake 8.1. I believe the problem
needs to be fixed at compile-time. Furthermore, it dies in such a way as
to be VERY misleading. To repro, do this:
1. Add an "ExecCGI" option to the /~userdir/ directory in your Apache
config file. For Mandrake 8.1, have it look like the following in
"/etc/httpd/conf/commonhttpd.conf"
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews Indexes Includes FollowSymLinks ExecCGI
Order allow,deny
Allow from all
</Directory>
Notice I've added "ExecCGI" to the Options line, so that I don't
need put my CGI programs into a $HOME/public_html/cgi-bin/ directory. I
can just name my CGI programs 'filename.cgi'.
2. Create a simple CGI program in your ~/public_html/
[dereks@dev public_html]$ cd ~/public_html ; cat ./foo.cgi
#!/usr/bin/env python
import sys
sys.stderr = sys.stdout
print "Content-Type: text/html\r\n\r\n"
print "<html><body>WTF</body></html>"
[dereks@dev public_html]$ ./foo.cgi
Content-Type: text/html
<html><body>WTF</body></html>
[dereks@dev public_html]$
Note that (a) the CGI program prints the correct header and
newlines, and (b) that it executes from the commandline as user "dereks"
AND as user "apache" (although that's not shown above).
3. Now visit your CGI program and watch it fail:
Hit http://dev/~dereks/foo.cgi and get
-----------------------------------------------------
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
Please contact the server administrator, root@localhost and inform them of
the time the error occurred, and anything you might have done that may
have caused the error.
More information about this error may be available in the server error
log.
Apache-AdvancedExtranetServer/1.3.20 Server at dev.xxx.com Port 80
-----------------------------------------------------
...and then look at your error_log and see this:
[root@dev public_html]# tail -n 1 /var/log/httpd/error_log
[Mon Jan 21 14:50:57 2002] [error] [client 192.168.0.187] Premature end of
script headers: /home/dereks/public_html/foo.cgi
This is VERY disturbing because my script headers are FINE! If I
were somebody new to CGI programming, who did not have the confidence to
KNOW that my script is correct, I could waste a TON of time trying to
figure out what the problem is. In fact, it is a misconfiguration in
suEXEC.
I noticed this in the Apache FAQ:
------------------------------------------------------
* What does it mean when my CGIs fail with "Premature end of script
headers"?
[content deleted...]
In addition, a configuration problem in suEXEC, mod_perl, or another third
party module can often interfere with the execution of your CGI and cause
the "premature end of script headers" message.
------------------------------------------------------
Unfortunately, the fscking FAQ doesn't say WHAT configuration
problem in suEXEC could cause this error message.
WORKAROUND
Disabling suEXEC fixes the problem. suEXEC can be disabled by
simply renaming the suexec binary and restarting Apache:
[root@dev public_html]# mv /usr/sbin/suexec /usr/sbin/suexec-DIST
[root@dev public_html]# service httpd restart
Shutting down httpd-perl: [ OK ]
Shutting down httpd: [ OK ]
Starting httpd-perl: [ OK ]
Starting httpd: [ OK ]
Also, I found the following in the suEXEC documentation:
------------------------------------------
APACI's suEXEC configuration options
[content deleted...]
--suexec-userdir=DIR
Define to be the subdirectory under users' home directories where
suEXEC access should be allowed. All executables under this directory will
be executable by suEXEC as the user so they should be "safe" programs. If
you are using a "simple" UserDir directive (ie. one without a "*" in it)
this should be set to the same value. suEXEC will not work properly in
cases where the UserDir directive points to a location that is not the
same as the user's home directory as referenced in the passwd file.
Default value is "public_html".
If you have virtual hosts with a different UserDir for each, you
will need to define them to all reside in one parent directory; then name
that parent directory here. If this is not defined properly, "~userdir"
cgi requests will not work!
------------------------------------------
I don't know what they mean by "you will need to define them to
all reside in one parent directory". Also, I don't know if the problem is
that, or if it is simply not defined properly at compile-time (thus
breaking the RPM binary).
ADDITIONAL SYSTEM INFO:
[dereks@dev dereks]$ cat /etc/mandrake-release
Mandrake Linux release 8.1 (Vitamin) for i586
[dereks@dev dereks]$ rpm -q apache
apache-1.3.20-3mdk
[dereks@dev dereks]$ rpm -q -f /usr/sbin/suexec
apache-suexec-1.3.20-3mdk
