SuExec cannot execute scripts with "failed to setuid" error

From Wiki

Jump to: navigation, search


Question

1H Hive cannot execute certain scripts and I see "failed to setuid" errors in the log files. What should I do?

Answer

This issue is most commonly caused by the grsecurity set of patches for the Linux kernel. If you see similar records in the SuExec log files:

 [2013-12-09 10:16:38]: emerg: failed to setuid (1065: index.php) user target/actual: (1065/testuser)

this may indicate that grsecurity has blocked the users in question. To make sure that this is the case use the following command to print the message buffer of the kernel:

 dmesg | grep UID

Replace UID with the id of the user which is mentioned in the SuExec log files. If you see records similar to the following:

 grsec: banning user with uid 1065 until system restart for suspicious kernel crash
 grsec: banning user with uid 1065 until system restart for suspicious kernel crash

this means that grsecurity has detected abnormal activity and that is why it has blocked the users in question. There are three ways to resolve the issue:

1. You can disable the grsecurity CONFIG_GRKERNSEC_KERN_LOCKOUT option. Please note that it is always better to find out why grsecurity has blocked certain users instead of simply disabling this option.

2. You can temporary change the ID of the affected user, so that grsecurity will not block the requests for the new ID.

3. You can use the grsecurity "gradm" command to remove the ban for a specific user. For example, to remove the ban for user ID 1065 you should use the following command:

 gradm -M 1065

You should check the following link for more details how to use the grsecurity administration utility:

http://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox