403 Forbidden error when running .exe scripts

Hi,

I have a serious problem when trying to execute scripts on my Fedora Core 4 server with Plesk 8 installed. I have defined a ScriptAlias directory in httpd.conf (really an include file called from httpd.conf) like this:

ScriptAlias /pav_qmail/scripts/ "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/"
<Directory "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts">
      AllowOverride None
      Options -Indexes Includes ExecCGI
      AddHandler cgi-script .cgi .exe
      Order allow,deny
      Allow from all
</Directory>

chmod is 750 for the script directory and 755 for the scripts themselves.
chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
There are no .htaccess files defined.

The exact error message I'm getting in IE 6 is:

"Forbidden
You don't have permission to access /pav_qmail/scripts/VentanaPrincipal.exe on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

"VentanaPrincipal.exe" is one of the .exe scripts that try to execute.

Can someone help me with this ?

Thanks,
Antonio


agubairaAsked:
Who is Participating?
 
ravenplConnect With a Mentor Commented:
OK, let's stright some thing first. The suexec binary should look like
-rws--x--x  1 root root 11388 Jun  2  2005 suexec
httpd -l (OR: apache2 -l) should show that suexec is enabled and valid

then each .exe should not be sui/sgid, and should be executeable for all or at least for apache and the owner itself. If it's script(like perl or bash) it also has to be readable by the apache and the owner.

each VirtualHost directive should contain the target user/group for execution. The owner/group of the exe file have to match those.
User  username
Group groupname
The suexec performs many checks on the config and file to execute - refer http://httpd.apache.org/docs/2.0/suexec.html

In case suexec is not enabled (but if You use SuexecUserGroup You expect it to be), then the exe have to be read/execute by apache user (and not the owner of webfolder).
0
 
ravenplCommented:
> chmod is 750 for the script directory and 755 for the scripts themselves.
> chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
it says that only owner and group is allowed to execute such script.
But is Your apache running under <website administrator> user or  psacin group? Usually it runs at apache:apache. In such case it's not allowed to execute the file (chmod 0755 would help).
Or You are using suexec for cgi scrips?
0
 
agubairaAuthor Commented:
Changing to 755 gives me a server misconfiguration error.
How do I know under which user/group is Apache running ? I guess it's psacln,  because the Plesk forum suggests it. If I change the group to something eles, I also get a server misconfiguration.

And yes, the server uses suexec for cgi scripts. This file is owned by root:apache and has the following attributes: -r-s--x---

Thanks
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
ravenplCommented:
Please refer apache's errorlog to get the real errormessage.
0
 
agubairaAuthor Commented:
error_log:

[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgiframeizquierdo.exe denied, referer: http://www.mydomain.com/pav_qmail/html/inicio.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgibotones.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/VentanaPrincipal.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
0
 
ravenplCommented:
Looks like suexec is not in use.
error 13 simply means that owner/group/permissions are unsuitable for apache user to execute the script.
For testing purpose try chowning the file to apache user.
0
 
agubairaAuthor Commented:
Ok. I chowned "suexec" in both /usr/bin and /usr/sbin directories to "apache" user, restarted Apache and reproduced the error (13).

It comes to my attention that suexec_log file is not being updated.
0
 
ravenplCommented:
No, not the suexec !
change owner of the /pav_qmail/scripts/cgiframeizquierdo.exe and others...
0
 
agubairaAuthor Commented:
Sorry. Now I changed ownership of .exe scripts and the problem remains the same. I found the following line in the error log:

Warning: SuexecUserGroup directive requires SUEXEC wrapper.

Looks like suexec is not present. What do you think ? Please confirm ownership and permits of this binary.

Thanks
0
 
agubairaAuthor Commented:
Ok. I made the following changes and the scripts work !

suexec is: -rwx--x--x root root
script directory is: -rwxr-x--- panda apache
script files are: -rwxr-x--- panda apache         (panda is the owner of the process)

However when I restart apache I get the SuexecUserGroup warning, unless I chmod u+s suexec; but if I do then the scripts fail to work with an "internal server error"
I don't understand a thing...

The httpd -l command only shows the compiled modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
 
0
 
ravenplCommented:
And nothing new in the log? Then I don't know.
0
 
agubairaAuthor Commented:
Well suexec_log has some new stuff. The thing is that I was making changes and don't know when the error ocurred. I suppose that when the "internal server" error appeared (by changing chmod u+s on suexec):

[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgiframeizquierdo.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgibotones.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/VentanaPrincipal.exe)

AND

[2006-10-25 11:35:29]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:35:29]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)

However you lead me to the solution and you got your points and Grade A.

Thank you so much !
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.