HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   suPHP fails with mod 0600 on Debian Etch (http://www.howtoforge.com/forums/showthread.php?t=21523)

berny 19th March 2008 20:05

suPHP fails with mod 0600 on Debian Etch
 
Hello,

I have an installation of ISPConfig 2.2.21 and have installed suPHP according to the howot found at http://www.howtoforge.com/install-su...2.20-and-above

suPHP now seems to be working well for php-scripts and textpattern sites when using 0664 access rights on files.

However, I want to have 0600 so no ftp-user or shell-user can see files from another web. But if I give group and other no read rights apache throws an error 403.

What do I need to do?

Here is my config:


From /etc/apache2/vhosts/Vhosts_ispconfig.conf:

Code:

###################################
#
# ISPConfig vHost Configuration File
#        Version 1.0
#
###################################
#
NameVirtualHost xxx.xxx.xxx.249:80
<VirtualHost xxx.xxx.xxx.249:80>
  ServerName localhost
  ServerAdmin root@localhost
  DocumentRoot /var/www/sharedip
</VirtualHost>
#
#
######################################
# Vhost: www.yyyy.de:80
######################################
#
#
<VirtualHost xxx.xxx.xxx.249:80>
SuexecUserGroup web1_ web1
ServerName www.yyyy.de:80
ServerAdmin webmaster@yyyy.de
DocumentRoot /var/www/web1/web
ServerAlias yyyy.de
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 i
ndex.shtml index.cgi index.pl index.jsp Default.htm default.htm
Alias  /cgi-bin/ /var/www/web1/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/web1/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
<Directory /var/www/web1/web>
  suPHP_Engine on
  suPHP_UserGroup web1_ web1
  AddHandler x-httpd-php .php .php3 .php4 .php5
  suPHP_AddHandler x-httpd-php
  SetEnv php_safe_mode Off
</Directory>
Alias /error/ "/var/www/web1/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
</VirtualHost>


If I access a file with 0600 (-rw-------) access rights, the browser shows an error 403 and I get an entry in /var/www/web1/log/error.log
Code:

[Wed Mar 19 19:29:40 2008] [error] [client xx.xxx.xxx.xx] (13)Permission denied: file permissions deny server access: /var/www/web1/web/index.html
Partial Workaround:

A partial workaround I have found so far is add the user www-data to the group of the web and set access-rights to 0660. The disadvantage is that www-data needs to be added manually to every group.

falko 20th March 2008 17:55

Quote:

SuexecUserGroup web1_ web1
Is web1_ the correct user name?

berny 20th March 2008 18:27

Quote:

Originally Posted by falko
Is web1_ the correct user name?

Yes it is. The user "web1_" has the admin-flag set in the ISPConfig web-interface and the user web1_ owns the directories and files.

Code:

zwei:/var/www/web1/web# ls -lha
insgesamt 160K
drwxrwxr-x 26 web1_ web1 4,0K 2008-03-20 18:15 .
drwxr-xr-x  9 web1_ web1 4,0K 2008-03-19 18:37 ..

[...]

-rw-r----- 1 web1_ web1 52 2008-03-20 18:20 test.html

[...]

BTW, should the thread be moved into the ISPConfig-Installation/Configuration Forum?

Thanks a lot.

falko 21st March 2008 14:40

What's in /etc/suphp.conf?

berny 22nd March 2008 14:03

The complete content of /etc/suphp.conf is:

Code:

[global]
;Path to logfile
logfile=/var/log/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=www-data

;Path all scripts have to be in
docroot=/

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper

;Handler for CGI-scripts
x-suphp-cgi=execute:!self


falko 23rd March 2008 18:12

Looks ok.
I couldn't find anything about it on the web, but I think that Apache still needs read access to the files.


All times are GMT +2. The time now is 11:52.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.