HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Wrong apache+php user permissions (http://www.howtoforge.com/forums/showthread.php?t=50805)

filipealvarez 4th January 2011 19:13

Wrong apache+php user permissions
 
Hi friends, I'm having a strange issue that never I see in Ispconfig.

I usually install ispconfig3 (latest version) over Ubuntu 8.04 with total sucess!

But recently I need to install on a Debian 5.0.7. I follow the instructions of the 'official perfect setup' from How2forge and the installation works well.

But, the problem is the permissions of php user, that is configure with Suexec + fastcgi, look:

uid=33(www-data) gid=33(www-data) groups=33(www-data),5003(ispapps),5004(ispconfig),5005(client1)

But in another server I got the normal result:

uid=5005(webx), gid=2006(clientx)

Anynone know why this occours?

Thanks

filipealvarez 4th January 2011 20:20

One information that may be util:

www-data 3842 0.0 0.0 168316 13332 ? S 15:54 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/

Look, the php-cgi process is spawned by wrong user (www-data).

In other servers the process is spawned by the webX user like below:

web206 32710 3.6 0.1 165340 12980 ? S 17:04 0:22 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client75/web206 -d upload_tmp_dir=/var/www/clients/client75/web206/tmp -d session.save_path=/var/www/clients/client75/web206/tmp


Anybody know what'is going?

till 4th January 2011 20:27

Looks as if suexec is not enabled in that website. Please post the apache vhost configuration file of the affected site.

additionally, take a look into the ispconfig monitor and check if there are any jobs listed in the jobqueue.

filipealvarez 4th January 2011 20:42

Thanks for your reply till, I saw the jobqueue and it's working well, the tasks has been executed and dissapear from jobqueue.

See the vhost conf below:

<Directory /var/www/new.compreauto.com.br>
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<VirtualHost 200.219.204.187:80>
DocumentRoot /var/www/new.compreauto.com.br/web

ServerName new.compreauto.com.br
ServerAlias www.new.compreauto.com.br
ServerAdmin webmaster@new.compreauto.com.br

ErrorLog /var/log/ispconfig/httpd/new.compreauto.com.br/error.log


ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 503 /error/503.html

<Directory /var/www/new.compreauto.com.br/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client1/web4/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>


# suexec enabled
SuexecUserGroup web4 client1
# Clear PHP settings of this website
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
# php as fast-cgi enabled
<IfModule mod_fcgid.c>

# SocketPath /tmp/fcgid_sock/

# IdleTimeout n (3600 seconds)
# An idle fastcgi application will be terminated after IdleTimeout seconds.
IdleTimeout 3600

# ProcessLifeTime n (7200 seconds)
# A fastcgi application will be terminated if lifetime expired, even no error is detected.
ProcessLifeTime 7200

# MaxProcessCount n (1000)
# The max count of total fastcgi process count.
# MaxProcessCount 1000

# DefaultMinClassProcessCount n (3)
# The minimum number of fastcgi application instances for any one fastcgi application.
# Idle fastcgi will not be killed if their count is less than n
# Set this to 0, and tweak IdleTimeout
DefaultMinClassProcessCount 0

# DefaultMaxClassProcessCount n (100)
# The maximum number of fastcgi application instances allowed to run for
# particular one fastcgi application.
DefaultMaxClassProcessCount 100

# IPCConnectTimeout n (3 seconds)
# The connect timeout to a fastcgi application.
IPCConnectTimeout 8

# IPCCommTimeout n (20 seconds)
# The communication timeout to a fastcgi application. Please increase this
# value if your CGI have a slow initialization or slow respond.
IPCCommTimeout 360

# BusyTimeout n (300 seconds)
# A fastcgi application will be terminated if handing a single request
# longer than busy timeout.
BusyTimeout 300

</IfModule>
<Directory /var/www/new.compreauto.com.br/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client1/web4/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>

# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web4 client1
</IfModule>

<IfModule mod_dav_fs.c>
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>


</VirtualHost>


As additional information, here are the apache/php packages installed on Lenny:

web:~# dpkg -l|egrep 'apache|php|sue'
ii apache2-doc 2.2.9-10+lenny8 Apache HTTP Server documentation
ii apache2-mpm-prefork 2.2.9-10+lenny8 Apache HTTP Server - traditional non-threaded model
ii apache2-suexec 2.2.9-10+lenny8 Standard suexec program for Apache 2 mod_suexec
ii apache2-utils 2.2.9-10+lenny8 utility programs for webservers
ii apache2.2-common 2.2.9-10+lenny8 Apache HTTP Server common files
ii libapache2-mod-fcgid 1:2.2-1 an alternative module compat with mod_fastcgi
ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (Apache 2 module
ii libapache2-mod-suphp 0.6.2-3 Apache2 module to run php scripts with the owner permissions
ii php-auth 1.6.1-1 PHP PEAR modules for creating an authentication system
ii php-pear 5.2.6.dfsg.1-1+lenny9 PEAR - PHP Extension and Application Repository
ii php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (metapackage)
ii php5-cgi 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (CGI binary)
ii php5-cli 5.2.6.dfsg.1-1+lenny9 command-line interpreter for the php5 scripting language
ii php5-common 5.2.6.dfsg.1-1+lenny9 Common files for packages built from the php5 source
ii php5-curl 5.2.6.dfsg.1-1+lenny9 CURL module for php5
ii php5-gd 5.2.6.dfsg.1-1+lenny9 GD module for php5
ii php5-imagick 2.1.1RC1-1 ImageMagick module for php5
ii php5-imap 5.2.6.dfsg.1-1+lenny9 IMAP module for php5
ii php5-mcrypt 5.2.6.dfsg.1-1+lenny9 MCrypt module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny9 MySQL module for php5
ii suphp-common 0.6.2-3 Common files for mod suphp


Thanks again!

till 4th January 2011 21:18

The vhsot config looks fine. Please post the output of this command:

grep web4 /etc/passwd

filipealvarez 4th January 2011 23:49

Till, here is the output:

web:~# grep web4 /etc/passwd
web4:x:5004:5005::/var/www/clients/client1/web4:/bin/false

/etc/group
vmail:x:5000:
getmail:x:5001:
sshusers:x:5002:web4
ispapps:x:5003:www-data
ispconfig:x:5004:www-data
client1:x:5005:www-data

Anything strange?

Thanks

filipealvarez 5th January 2011 00:27

Till, I FOUND the problem, the debian package apache2-suexec-custom was missing!

I simply do this:

apt-get install apache2-suexec-custom

Restart the apache and the repeating the tests I got this output:

# id
uid=5004(web4) gid=5005(client1) groups=5002(sshusers),5005(client1)

And the ps aux:

web4 9058 0.0 0.0 168312 13280 ? S 21:11 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/web4/tmp:/var/www/new.compreauto.com.br/web:/srv/www/new.compreauto.com.br/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin -d upload_tmp_dir=/var/www/clients/client1/web4/tmp -d session.save_path=/var/www/clients/client1/web4/tmp

I search in the how to ( http://www.howtoforge.com/perfect-se...-ispconfig3-p4 ) and the line refering a apache/php install is:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libapache2-mod-ruby

Just apache2-suexec was installed, so I think that tip maybe util for Debian 5.0.7 users in general!

But I feel other difference between ispconfig in Debian 5 than Ubuntu 8.0.4, the user web4 in Ubuntu keep's into the home directory (/var/www/clients/client1/, he cannot listen / or /tmp for example.)

Do you know a tip to fix that?

Is horrible to know that a malicious php script can list the /var/www/clients.

Thanks and I again, the original problem is SOLVED, I expose the second problem in this thread just because I consider a bit related

filipealvarez 7th January 2011 19:42

All problems are SOLVED, remember to use aways the latest packages with apt-get!

Thanks Till!


All times are GMT +2. The time now is 06:51.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.