# LOL, fresh system - Virtualmin/Suexec Error



## Lego (Dec 17, 2009)

Okay, well I had a hdd crash, so I had to re-install everything again... LOL, I've got some great luck.

Anyway, I have everything installed and working fine.  But I'm now having problems with virtualmin that I've not had before.  When I click the re-check and refresh configuration.  I get this


```
The status of your system is being checked to ensure that all enabled features 
are available, that the mail server is properly configured, and that quotas are 
active ..

      BIND DNS server is installed, and the system is configured to use it.

      Mail server Sendmail is installed and configured.

      The Suexec command on your system is configured to only run scripts under 
/usr/local/www/data, but the Virtualmin base directory is /usr/home. CGI and PHP 
scripts run as domain owners will not be executed.

.. your system is not ready for use by Virtualmin.
```

I know that I did build it when I installed Apache22, so 1 what is suexec for? Do I _need_ it? how do I fix this?


----------



## Lego (Dec 18, 2009)

Okay, so SuEXEC is for running CGI/SSI so If I don't use CGI/SSI then I don't need it... and If I don't want people that I host using CGI/SSI then they don't need it... So basically I should just not use it  ??


----------



## DutchDaemon (Dec 18, 2009)

Virtualmin allows a user to manipulate root-owned config files and processes through a web interface, correct? Without suexec, those edits would be performed by the www user. That won't work, of course. Unless you perform some nasty sudo trickery, but better just stick with Virtualmin's requirements. 

The salient point is:


```
The Suexec command on your system is configured to only run scripts under 
/usr/local/www/data, but the Virtualmin base directory is /usr/home.
```

Either put Virtualmin scripts under /usr/local/www/data, or tell Apache to look for it under /usr/home.


----------



## Lego (Dec 18, 2009)

Okay, thanks.  I will just change where virtualmin looks.  But Do I really want it enabled? It seems there is a lot of security risks enabling it (or setting it up properly). Which is why its not enabled in the default install http://httpd.apache.org/docs/2.2/suexec.html

I disabled it in the virtualmin module, and virtualmin successfully checked everything else.


----------



## DutchDaemon (Dec 19, 2009)

Using _any_ web based admin program is a security risk. Then again, I know nothing about Virtualmin, so maybe it doesn't need suexec. But since it's obviously complaining about it not being available .. I guess it needs it.


----------



## Borg (Jan 13, 2011)

I know this post has not seen a response anytime soon since about a little over a year ago, but I thought this might come in quite useful for those who are unsure of what to do in any instance they might come upon this suexec problem with virtualmin.

Here is a solution someone found to resolve this problem:
http://trunasuci.pbworks.com/w/page/32558556/FreeBSD-Virtualmin-suexec-issue

I wonder if perhaps someone would be able to add this as an options feature in the port to allow people to choose to have suexec set up for virtualmin or not via apache or virtualmin? Anyway hope this helps others too.


----------



## SwellJoe (Jan 15, 2011)

This conversation came up in my Google Alerts, due to the new comment, so I wanted to add a bit of clarification (I'm one of the Virtualmin developers).

DutchDaemon has a misunderstanding of how Virtualmin works and why this error is occurring which leads to his advice being nonsensical. So, pay no attention to the Dutchman, he has no idea what he's talking about. 

Virtualmin does not use suexec to run its own scripts; Virtualmin runs under the Webmin web server (miniserv.pl) which is a dedicated appserver written in Perl, designed specifically for safely operating as root. It provides a number of security features (SSL, password timeouts, brute force protection, switching to lower privileged users when performing some tasks, etc.) and is as small as possible (but no smaller) to allow easier auditing. Virtualmin does not run under Apache, at all, and running Apache as root would be extremely ill-advised, in my opinion (and suexec will refuse to switch to root without modifications).

Virtualmin uses suexec in Apache to prevent virtually hosted users from being able to see each others files. A CGI script running as the Apache user (www on FreeBSD, I guess) would be able to read the homes of all other users on the system, because Apache can read the homes of all other users on the system. It is practically impossible to safely run a multi-user virtual hosting system without suexec. If you don't have other untrusted users on your system, then you don't need suexec (though it can still help prevent some types of attack, as Apache usually has more privileges than the average user which suexec runs applications as).

The solutions, if you are using suexec, are to either recompile suexec with the docroot set to /home, or to switch the home directory for users in Virtualmin /usr/local/www/data. I recommend the former, rather than the latter. Users belong in /home, and a lot of additional work will be needed to make everything on the system work happily with users living in /usr/local/www/data. There is no alternative to these two options, and there's nothing Virtualmin can do to make it easier (the install.sh automated install script we provide does the rebuild for you, though...if you wanted to run it rather than installing Virtualmin from ports).

The simplest is to just disable suexec features in Virtualmin. This is only safe if you don't have other users on your system.


----------



## DutchDaemon (Jan 16, 2011)

So I'm assuming your software is generating less confusing error messages about suexec (post #1) then?


```
The Suexec command on your system is configured to only run scripts under 
/usr/local/www/data, but the Virtualmin base directory is /usr/home. CGI and PHP 
scripts run as domain owners will not be executed.

.. your system [B]is not ready[/B] for use by Virtualmin.
```

The error suggested that the suexec configuration needs to be fixed in order for virtualmin to work properly. No mention of it being unnecessary or better yet: superfluous. That's all I based my initial assessment on. Garbage in, garbage out, you know?


----------



## SwellJoe (Jan 16, 2011)

The problem caused by suexec being misconfigured is that "CGI and PHP scripts run as domain owners will not be executed." which is what the error message says will happen.

I guess the "Virtualmin base directory" bit is confusing, and might make it seem like it's the Virtualmin install directory under discussion (it isn't; Virtualmin lives in the Webmin install directory, which is somewhere under /usr/local on FreeBSD; it's the base directory for user homes that Virtualmin administers and has no bearing on operation of Virtualmin). I've changed the message in the next version of Virtualmin to:

"The Suexec command on your system is configured to only run scripts under $2, but the Virtualmin virtual server home directory is $1. CGI and PHP scripts run as domain owners will not be executed."

Is this more clear? I think most users who are dealing with Virtualmin will already understand that it does not run under Apache; so I don't think we need to cover all the stuff about how Virtualmin runs...this is just one status message of many that appear on that config check page. We can't really include a novel about the problem, as people don't read the documentation anyway (this particular bit is covered in our docs in some detail, and has been asked and answered in our forums numerous times, but the question still gets asked a lot).


----------

