[users@httpd] Suexec fails to find script to execute, or else refuses to execute it due to mismatching dir./files rights

Wed, 22 Apr 2015 08:01:46 -0700 

Hi, Apache httpd users mailing-list!

Trying to configure gitolite3 (http://gitolite.com/) with Apache,
I encountered some problems with suexec
(http://httpd.apache.org/docs/2.2/suexec.html) that I did not
understand.

I'm wondering *where* is the problem:
if it is a simple wrong config (main hypothesis for the noob I am),
or if there is something fundamental I missed in suexec principles,
or if problem comes from OS packaging, or so...
So, if some of you could help me, or simply redirect to the right
source of documentation or process, I'll be grateful.
Anyway, thank you for your attention, and please excuse all possible
misspelled words or stange phrases
(non english writer here).


Problem
=======

Here's the problem:

I failed to let suexec run gitolite shell wrapper,
because of rights on either the wrapper file or its parent directory.
If suexec found the wrapper, rights on parent directory (which differs
from wrapper's)
make suexec to fail -- simplified suexec log follows:

    [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
    [2015-04-22]: target uid/gid (110/116) mismatch with directory
(0/0) or program (110/116)

If rights on wrapper's parent directory are set identical to wrapper ones,
suexec fails to find it -- simplified suexec log follows:

    [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
    [2015-04-22]: (2)No such file or directory: exec failed
(gitolite-suexec-wrapper)


Configuration(s)
================

I've mainly followed documentation provided by gitolite:
http://gitolite.com/gitolite/ssh-and-http.html,
slightly adapted to potentially have one gitolite instance
(and its configuration and related git repositories) per virtualhost/project.

Full project has its own dedicated directory (e.g.
/home/work/domain.tld/project),
subdivised on:

- etc/          # configuration
  - httpd.conf  # Apache virtual host configuration for project (see below)
- git/          # repositories
- gitolite/     # gitolite's home
- www/          # web documents

Shell wrapper to gitolite, expected to be executed by suEXEc,
stands in suEXEc's root, here /var/www
(see below for suEXEc configuration):

    $ ls /var/www  # truncated
    gitolite-suexec-wrapper

SuEXEc configuration follows:

    $ /usr/lib/apache2/suexec -V
     -D AP_DOC_ROOT="/var/www"
     -D AP_GID_MIN=100
     -D AP_HTTPD_USER="www-data"
     -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
     -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
     -D AP_UID_MIN=100
     -D AP_USERDIR_SUFFIX="public_html

Project configuration for Apache is described as:

    <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName project.domain.tld
        DocumentRoot /home/work/domain.tld/project/www

        CustomLog /var/log/apache2/project.domain.tld-access.log common
        ErrorLog /var/log/apache2/project.domain.tld-error.log

        <Directory /home/work/domain.tld/project/www>
            AllowOverride None
            Order allow,deny
            Allow from all
        </Directory>

        ### Authentication ###
        <Location />
            AuthType Digest
            AuthName "project.domain.tld"
            AuthDigestDomain /
            AuthDigestProvider file
            AuthUserFile /home/work/domain.tld/project/etc/.pwdigests
            Require valid-user
        </Location>

        SuexecUserGroup git git
        ScriptAlias /git/ /var/www/gitolite-suexec-wrapper/
    </VirtualHost>

Git users is identified by:

    $ id git
    uid=110(git) gid=116(git) groupes=116(git)

(For sake of completness, here are the system softwares
versions infos:

- OS: Debian Wheezy (currently up-to-date)
- Apache httpd:  Apache/2.2.22 )

I'vee tried several small variant, but encounter the same main
problem, described above.


Variant 1
---------

In first (default) configuration, SuEXEc root document and
gitolite shell wrapper have following rights:

    $ ls -l /var  # truncated
    drwxr-xr-x  3 root root   www
    $ ls -l /var/www  # truncated
    -rwxr-xr--  1 git  git    gitolite-suexec-wrapper

Then, suEXEc succeeds in finding gitolite shell wrapper,
but due to owners mismatching between wrapper (git/git)
and its parent dir. /var/www (root/root), it fails with
previously mentionned logged error:

    [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
    [2015-04-22]: target uid/gid (110/116) mismatch with directory
(0/0) or program (110/116)


Variant 2
---------

If instead we set (in a second configuration) owners to be identical,
as is:

    $ ls -l /var  # truncated
    drwxr-xr-x  3 git  git    www
    $ ls -l /var/www  # truncated
    -rwxr-xr--  1 git  git    gitolite-suexec-wrapper

suexec failed with previously mentionned logged error:

    [2015-04-22]: uid: (110/git) gid: (116/git) cmd: gitolite-suexec-wrapper
    [2015-04-22]: (2)No such file or directory: exec failed
(gitolite-suexec-wrapper)


Variant 3
---------

I've also tried to put gitolite shell wrapper in its own dedicated directory,
as follows:

    $ ls -l /var/www
    drwxr-xr-x 2 git git    project.domain.tld-suexec
    $ ls -l /var/www/project.domain.tld-suexec
    -rwxr-xr-- 1 git git    gitolite-suexec-wrapper

and adapted virtualhost condfiguration with:

    <VirtualHost *:80>
        # ... see above for complement...

        SuexecUserGroup git git
        ScriptAlias /git/
/var/www/project.domain.tld-suexec/gitolite-suexec-wrapper/
    </VirtualHost>

As before with variants 1 and 2, if project.domain.tld-suexec has root/root
as owners, suexec finds the wrapper but fails to execute it.
And with git/git as owners, it simply doesn't find it.


Variant 4
---------

Another try following variant 3 was adding explicit CGI handling
-- script was renamed with a .sh suffix:

    $ ls -l /var/www/project.domain.tld-suexec
    -rwxr-xr-- 1 git git    gitolite-suexec-wrapper.sh

and project's virtualhost configuration was completed with:

    <VirtualHost *:80>
        # ... see above for complement...

        <Directory /var/www/project.domain.tld-suexec>
            #AllowOverride None
            Order allow,deny
            Allow from all
            Options ExecCGI
            AddHandler cgi-script .sh
        </Directory>
        SuexecUserGroup git git
        ScriptAlias /git/
/var/www/project.domain.tld-suexec/gitolite-suexec-wrapper.sh/
    </VirtualHost>

As before with previous variants, if project.domain.tld-suexec has root/root
as owners, suexec finds the wrapper but fails to execute it.
And with git/git as owners, it simply did not find it.

----

Could you please help me?
I've not easily found (or recognize as it?) any report with this exact situation
(through google search, Apache mailing list or gitolite's one),
which let me suspect a misconfiguration or comprehension on my side.
But i'm not sure this is the case.

Again, thank you for taking time to read all previous lines!

-- Vincent

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to