Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th September 2008, 00:05
omry omry is offline
Junior Member
 
Join Date: Sep 2008
Posts: 23
Thanks: 3
Thanked 3 Times in 3 Posts
Default ISPConfig3 : suphp on debian etch and a few other questions

How do I setup suphp for ISPConfig3 on debian etch?
I tried to install the package, made sure the module is active, and I get:

Invalid command 'suPHP_UserGroup', perhaps misspelled or defined by a module not included in the server configuration
failed!

when I restart apache.

another question:
do I normally (if all is well) need to restart/reload apache after adding a site through ISPConfig?

one last question:
I noticed that the web directory for a site looks something like this:
/var/clients/client0/web1/web

is it possible to have the user files stored under his home directory? (/home/user)
Reply With Quote
Sponsored Links
  #2  
Old 12th September 2008, 15:31
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
Default

1) Uninstall mod_suphp from debian and try this guide:

http://www.howtoforge.com/install-su...2.20-and-above

2) no
3) No, as there is no such directory as /home/user in ISPConfig3.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 12th September 2008, 17:41
omry omry is offline
Junior Member
 
Join Date: Sep 2008
Posts: 23
Thanks: 3
Thanked 3 Times in 3 Posts
Default

Thanks, I`ll try the suphp link.

about /home/user :
I noticed that when I create a site through ispconfig (3), there is an option to specify the linux user and group, and the directory for the site.
however, it does not seem to make any actual difference.
is that a bug?

I tried to create a shell user. the user was create in ispconfig but was not created on the server (nothing in /etc/passwords).
another bug or am I missing something?

what is the proper way of granting users shell access, and make sure they have access to their web sites?
Reply With Quote
  #4  
Old 12th September 2008, 18:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
Default

Quote:
I noticed that when I create a site through ispconfig (3), there is an option to specify the linux user and group, and the directory for the site.
however, it does not seem to make any actual difference.
is that a bug?
No, thats not a bug. You will have to create the user and directory manually before, there is no assistence from ispconfig in ths. Also it is not recommended to change this setting at and it may cause the complete vhost to fail.

Quote:
I tried to create a shell user. the user was create in ispconfig but was not created on the server (nothing in /etc/passwords).
another bug or am I missing something?
There is no known bug with that. I just tested it and it works for me. maybe a bug in your setup. Aditionally, if you changed the settings that you mentioned above, the creation of shell users may fail.

Quote:
what is the proper way of granting users shell access, and make sure they have access to their web sites?
Create a shell user in ispconfig interface.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 12th September 2008, 19:33
omry omry is offline
Junior Member
 
Join Date: Sep 2008
Posts: 23
Thanks: 3
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by till View Post
No, thats not a bug. You will have to create the user and directory manually before, there is no assistence from ispconfig in ths. Also it is not recommended to change this setting at and it may cause the complete vhost to fail.
I see.
from the usability standpoint, ispconfig should fail the action if the directory/user does not exist instead of succeeding with the default value.

Quote:
Originally Posted by till View Post
There is no known bug with that. I just tested it and it works for me. maybe a bug in your setup. Aditionally, if you changed the settings that you mentioned above, the creation of shell users may fail.

Create a shell user in ispconfig interface.
I deleted my test host, created it again, and now I managed to create an shell user and login with it.
one thing is bothering me:

when I create a shell user, I am associating it with a site and not with a client.
this means that for a client with multiple sites, I will have to create a user for each site. this is cumbersome.
is it possible to create a shell user for a client, which will have access to all the client sites?

About suphp:
I got it to work, but I also had to apply the patch from here:
http://www.howtoforge.com/apache2_suphp_php4_php5_p2

any idea what suphp is not patched with this by default?
looks like suphp is almost but not quite working, and it's a pity that users have to go through all those fire hoops to get it to work.
unless there is a good reason, the suphp debian package should be configured in a way that allows the use case for ispconfig by default.

thanks for all your help.
Reply With Quote
  #6  
Old 12th September 2008, 21:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
Default

Quote:
I see. from the usability standpoint, ispconfig should fail the action if the directory/user does not exist instead of succeeding with the default value.
Maybe I remove the option to change the user and path until the final version.

Quote:
when I create a shell user, I am associating it with a site and not with a client.
this means that for a client with multiple sites, I will have to create a user for each site. this is cumbersome.
is it possible to create a shell user for a client, which will have access to all the client sites?
This is a matter of security. If all sites of a client share the same user, they will all be affected of a hack if one of the sites get hacked as the scripts of the site run under this user. neverthesless, all sites of a user share the same group, so als long as your files are grup writable, it can be accessed by the same user.

Quote:
any idea what suphp is not patched with this by default?
This question you will have to ask the maintainer of the suphp packages. I have removed the suphp_UserGroup directive now. But this is not as secure as the configuration with Usergroup.

Without suphp_UserGroup setting, the php scripts are run under the user that owns the files. This is genrally fine as long as you uploaded the files with the correct user. But in case you (as root admin) coped some files from another website and forgot to chown the files, they will get wrong access priveliges, with suphp_UserGroup setting you would have got a 500 error in this case.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 13th September 2008, 09:04
omry omry is offline
Junior Member
 
Join Date: Sep 2008
Posts: 23
Thanks: 3
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by till View Post
This is a matter of security. If all sites of a client share the same user, they will all be affected of a hack if one of the sites get hacked as the scripts of the site run under this user. neverthesless, all sites of a user share the same group, so als long as your files are grup writable, it can be accessed by the same user.
I understand your point, but personally I am willing to live with user level isolation.
is there any chance for this to be implemented, at least as an option?

Quote:
Originally Posted by till View Post
This question you will have to ask the maintainer of the suphp packages. I have removed the suphp_UserGroup directive now. But this is not as secure as the configuration with Usergroup.

Without suphp_UserGroup setting, the php scripts are run under the user that owns the files. This is genrally fine as long as you uploaded the files with the correct user. But in case you (as root admin) coped some files from another website and forgot to chown the files, they will get wrong access priveliges, with suphp_UserGroup setting you would have got a 500 error in this case.
I see.
in fact this question should go to the suphp developer first, because the latest code he released does not allow proper usage of the suphp_UserGroup settings. I had to slightly change the code.
Reply With Quote
  #8  
Old 13th September 2008, 10:54
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
Default

Quote:
is there any chance for this to be implemented, at least as an option?
This is not planned yet.

Quote:
I see.
in fact this question should go to the suphp developer first, because the latest code he released does not allow proper usage of the suphp_UserGroup settings. I had to slightly change the code.
As far as I know, its not a problem with the suphp developer. It is a question of compile options. If suphp is compiled with --with-setid-mode=paranoid, then suphp_UserGroup can be used, otherwise not. The only thing I dont know is why this setting is not just optional, so if suphp_UserGroup is there use it, otherwise rely on the ownership of the files.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 13th September 2008, 11:02
omry omry is offline
Junior Member
 
Join Date: Sep 2008
Posts: 23
Thanks: 3
Thanked 3 Times in 3 Posts
Default

as I said, you need to apply this patch for the directive to work in the contect ispconfig is trying to use it:
http://www.howtoforge.com/apache2_suphp_php4_php5_p2
Reply With Quote
  #10  
Old 13th September 2008, 11:08
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
 
Default

Quote:
as I said, you need to apply this patch for the directive to work in the contect ispconfig is trying to use it:
http://www.howtoforge.com/apache2_suphp_php4_php5_p2
Thats not needed anymore. Please update to the latest ISPConfig 3 release from svn.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
noobie email questions with ispconfig and debian 4 etch biobrew Installation/Configuration 9 3rd July 2008 11:44
suPHP fails with mod 0600 on Debian Etch berny Installation/Configuration 5 23rd March 2008 18:12
Perfect setup Debian Etch ISPConfig - DNS Server kdclaver Installation/Configuration 16 28th December 2007 01:39
Questions: Retrieving Emails From Remote Servers With fetchmail (Debian Etch) Quinton HOWTO-Related Questions 1 7th June 2007 16:38
Bind Failed christoph2k HOWTO-Related Questions 4 28th April 2007 00:57


All times are GMT +2. The time now is 06:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.