HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   ISPConfig3 : suphp on debian etch and a few other questions (http://www.howtoforge.com/forums/showthread.php?t=26774)

omry 12th September 2008 00:05

ISPConfig3 : suphp on debian etch and a few other questions
 
How do I setup suphp for ISPConfig3 on debian etch?
I tried to install the package, made sure the module is active, and I get:

Invalid command 'suPHP_UserGroup', perhaps misspelled or defined by a module not included in the server configuration
failed!

when I restart apache.

another question:
do I normally (if all is well) need to restart/reload apache after adding a site through ISPConfig?

one last question:
I noticed that the web directory for a site looks something like this:
/var/clients/client0/web1/web

is it possible to have the user files stored under his home directory? (/home/user)

till 12th September 2008 15:31

1) Uninstall mod_suphp from debian and try this guide:

http://www.howtoforge.com/install-su...2.20-and-above

2) no
3) No, as there is no such directory as /home/user in ISPConfig3.

omry 12th September 2008 17:41

Thanks, I`ll try the suphp link.

about /home/user :
I noticed that when I create a site through ispconfig (3), there is an option to specify the linux user and group, and the directory for the site.
however, it does not seem to make any actual difference.
is that a bug?

I tried to create a shell user. the user was create in ispconfig but was not created on the server (nothing in /etc/passwords).
another bug or am I missing something?

what is the proper way of granting users shell access, and make sure they have access to their web sites?

till 12th September 2008 18:00

Quote:

I noticed that when I create a site through ispconfig (3), there is an option to specify the linux user and group, and the directory for the site.
however, it does not seem to make any actual difference.
is that a bug?
No, thats not a bug. You will have to create the user and directory manually before, there is no assistence from ispconfig in ths. Also it is not recommended to change this setting at and it may cause the complete vhost to fail.

Quote:

I tried to create a shell user. the user was create in ispconfig but was not created on the server (nothing in /etc/passwords).
another bug or am I missing something?
There is no known bug with that. I just tested it and it works for me. maybe a bug in your setup. Aditionally, if you changed the settings that you mentioned above, the creation of shell users may fail.

Quote:

what is the proper way of granting users shell access, and make sure they have access to their web sites?
Create a shell user in ispconfig interface.

omry 12th September 2008 19:33

Quote:

Originally Posted by till (Post 144786)
No, thats not a bug. You will have to create the user and directory manually before, there is no assistence from ispconfig in ths. Also it is not recommended to change this setting at and it may cause the complete vhost to fail.

I see.
from the usability standpoint, ispconfig should fail the action if the directory/user does not exist instead of succeeding with the default value.

Quote:

Originally Posted by till (Post 144786)
There is no known bug with that. I just tested it and it works for me. maybe a bug in your setup. Aditionally, if you changed the settings that you mentioned above, the creation of shell users may fail.

Create a shell user in ispconfig interface.

I deleted my test host, created it again, and now I managed to create an shell user and login with it.
one thing is bothering me:

when I create a shell user, I am associating it with a site and not with a client.
this means that for a client with multiple sites, I will have to create a user for each site. this is cumbersome.
is it possible to create a shell user for a client, which will have access to all the client sites?

About suphp:
I got it to work, but I also had to apply the patch from here:
http://www.howtoforge.com/apache2_suphp_php4_php5_p2

any idea what suphp is not patched with this by default?
looks like suphp is almost but not quite working, and it's a pity that users have to go through all those fire hoops to get it to work.
unless there is a good reason, the suphp debian package should be configured in a way that allows the use case for ispconfig by default.

thanks for all your help.

till 12th September 2008 21:06

Quote:

I see. from the usability standpoint, ispconfig should fail the action if the directory/user does not exist instead of succeeding with the default value.
Maybe I remove the option to change the user and path until the final version.

Quote:

when I create a shell user, I am associating it with a site and not with a client.
this means that for a client with multiple sites, I will have to create a user for each site. this is cumbersome.
is it possible to create a shell user for a client, which will have access to all the client sites?
This is a matter of security. If all sites of a client share the same user, they will all be affected of a hack if one of the sites get hacked as the scripts of the site run under this user. neverthesless, all sites of a user share the same group, so als long as your files are grup writable, it can be accessed by the same user.

Quote:

any idea what suphp is not patched with this by default?
This question you will have to ask the maintainer of the suphp packages. I have removed the suphp_UserGroup directive now. But this is not as secure as the configuration with Usergroup.

Without suphp_UserGroup setting, the php scripts are run under the user that owns the files. This is genrally fine as long as you uploaded the files with the correct user. But in case you (as root admin) coped some files from another website and forgot to chown the files, they will get wrong access priveliges, with suphp_UserGroup setting you would have got a 500 error in this case.

omry 13th September 2008 09:04

Quote:

Originally Posted by till (Post 144812)
This is a matter of security. If all sites of a client share the same user, they will all be affected of a hack if one of the sites get hacked as the scripts of the site run under this user. neverthesless, all sites of a user share the same group, so als long as your files are grup writable, it can be accessed by the same user.

I understand your point, but personally I am willing to live with user level isolation.
is there any chance for this to be implemented, at least as an option?

Quote:

Originally Posted by till (Post 144812)
This question you will have to ask the maintainer of the suphp packages. I have removed the suphp_UserGroup directive now. But this is not as secure as the configuration with Usergroup.

Without suphp_UserGroup setting, the php scripts are run under the user that owns the files. This is genrally fine as long as you uploaded the files with the correct user. But in case you (as root admin) coped some files from another website and forgot to chown the files, they will get wrong access priveliges, with suphp_UserGroup setting you would have got a 500 error in this case.

I see.
in fact this question should go to the suphp developer first, because the latest code he released does not allow proper usage of the suphp_UserGroup settings. I had to slightly change the code.

till 13th September 2008 10:54

Quote:

is there any chance for this to be implemented, at least as an option?
This is not planned yet.

Quote:

I see.
in fact this question should go to the suphp developer first, because the latest code he released does not allow proper usage of the suphp_UserGroup settings. I had to slightly change the code.
As far as I know, its not a problem with the suphp developer. It is a question of compile options. If suphp is compiled with --with-setid-mode=paranoid, then suphp_UserGroup can be used, otherwise not. The only thing I dont know is why this setting is not just optional, so if suphp_UserGroup is there use it, otherwise rely on the ownership of the files.

omry 13th September 2008 11:02

as I said, you need to apply this patch for the directive to work in the contect ispconfig is trying to use it:
http://www.howtoforge.com/apache2_suphp_php4_php5_p2

till 13th September 2008 11:08

Quote:

as I said, you need to apply this patch for the directive to work in the contect ispconfig is trying to use it:
http://www.howtoforge.com/apache2_suphp_php4_php5_p2
Thats not needed anymore. Please update to the latest ISPConfig 3 release from svn.


All times are GMT +2. The time now is 22:29.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.