WebMO Home Page
   Features
   Pro Features
   Enterprise Features
   Compare Features
   System Requirements
   Screen Shots
   Working Demo
   Support & Tutorials
   Support Forum
   Testimonials
   Revision History
   Mailing List
   Educational Resources
   Workshops
   License Info
   Pricing
   Buy WebMO Pro/Ent
   Obtain Free License
   Download
WebMO - Computational chemistry on the WWW
Recent news

WebMO 15.0 is now available for free download!

WebMO 15.0 Pro and Enterprise have a variety of additional features and is available for purchase.

The WebMO app for iPad/iPhone is now available on the App Store.

October 26, 2014
Suexec Instructions for Red Hat Linux

Suexec is a part of the apache webserver that allows cgi scripts run as the user in whose directory they are installed, rather than as the user 'nobody' or 'apache'. This can be convenient both for security and practical reasons. The security restrictions imposed by suexec are documented at httpd.apache.org.

While suexec is distributed as part of the apache rpm package by Red Hat Linux 6.X and 7.X, there is no consistency among versions whether suexec is activated by default. Our experience is that suexec is not activated by default in Red Hat Linux 6.2, while it is activated by default in Red Hat Linux 7.2. Some other versions of Red Hat linux reportedly have suexec activated by default, while others evidently do not.

Activating suexec in Red Hat Linux 6.2

  1. Verify that cgi scripts in /home/*/public_html/cgi-bin execute properly when called by /~{user}/cgi-bin/{script.cgi}. Also, verify that cgiwrap is not being used to execute user scripts.
  2. Activate suexec by setting its suid bit (change its permissions from 711 to 4711)
    # chmod u+s /usr/sbin/suexec
  3. Restart apache
    # /sbin/service httpd restart
  4. Verify that suexec has been enabled
    # tail /var/log/httpd/error_log
          ...[notice] suEXEC mechanism enabled...
  5. Verify that user cgi scripts execute properly. If not, check the suexec log for errors
    # tail /var/log/httpd/suexec_log
Using suexec in Red Hat Linux 7.2

    Suexec is activated by default in Red Hat Linux 7.2.

    If necessary, this can be verified by examining its file permissions (suid bit is set)
    $ ls -alF /usr/sbin/suexec
          -r-s--x--- 1 root apache 11244 Sep 5 20:12 /usr/sbin/suexec*
    by examining the httpd logs
    $ grep suexec /var/log/httpd/error_log
          ...[notice] suEXEC mechanism enabled...
    $ tail /var/log/httpd/suexec_log
    and by examining the modules compiled into the httpd server
    $ /usr/sbin/httpd -l
          suexec: enabled; valid wrapper /usr/sbin/suexec

Tips for using suexec

  • Suexec requires that user cgi scripts not be writable by others, e.g., be 755
  • Suexec requies that the directory containing a cgi script not be writable by others, e.g., be 755 and not 775.
  • If suexec fails to execute a user's script, /var/log/httpd/error_log will only indicate "Premature end of script headers"; however, /var/log/httpd/suexec_log will indicate the actual problem, e.g., "error: directory is writable by others"
  • Red Hat Linux does not automatically rotate the suexec_log, which allows it to grow quite large. Consider adding '/var/log/httpd/suexec_log' to the first line of /etc/logrotate.d/apache.
WebMO and suexec

    In order for WebMO to work on an apache web server with suexec enabled, it must follow all of the suexec requirements, which are stricter than those imposed by apache without suexec or by cgiwrap. Specifically, the cgi directory must not be writable by others.

    For WebMO versions 3.1 and earlier, you must manually change the WebMO cgiBase directory permissions from 777 to 755
    $ find ~ -name "globals.int"
    $ grep ^cgiBase /{path}/globals.int
    $ chmod 755 {cgiBase_directory}

    For WebMO versions 3.2 and later, the WebMO cgiBase directory is created with appropriate file permissions, and no change is needed.

Copyright © 2001, WebMO, LLC, all rights reserved.