PHP write permissions

[RicochetPeter]

Hi folks,

I have some sort of permission problem regarding php wanting to change/create files:

Imagine I have a web at /var/www/web1/web:

Code:

drwxrwxr-x   7 web1_benjamin web1 4096 2006-07-12 20:52 web

which obviously belongs to web1_benjamin.

Now, any php script residing in this (or any deeper) directory that wants to create or modify files will spit out an error:

Code:

Warning: touch() [function.touch]: Unable to create file test.txt because Permission denied in /var/www/web1/web/test/test.php on line 5

PHP will succeed in creating/modifying files when I either chmod a+w or chgrp www-data the directory. The first is not really desired (I'd actually like ISPConfig to create directories w/o any rights for others....) and the second means handwork.
Secondly, the created files are user www-data and group www-data:

Code:

-rw-r--r--   1 www-data    www-data    0 2006-09-20 21:33 test.txt

OK, let's sum it up:

1. How do I make ISPConfig create directories rwxrwx--- when it sets up a web
2. How do I make Apache/PHP use the user/group of the web it's working in to create/modify files?

PS: this is ISPConfig 2.2.0, running on Ubuntu 5.10

[till]

1) you will have to change the sources for this.

2) Run PHP with suPHP or as cgi with suexec instead of mod_php, so the php scripts will run under the admin user of the website. You will have to update to ISPConfig 2.2.6 to be able to use suPHP together with ISPConfig.

[RicochetPeter]

I upgraded to 2.2.6 (seems to be working just fine), and also tried to switch from PHP5 as a module to PHP5 as a CGI.

Starting Apache gives me this error:

Code:

Invalid command 'php_admin_flag', perhaps mis-spelled or defined by a module not included in the server configuration

Many questions:

1a) Do I understand this correctly, that php_admin_flags can only be put in the apache config files when PHP is a module?
1b) Should they be in a .htaccess if PHP is a cgi?
2) Do I have to activate the "Suexec" option in Management->Server->Settings?
3) Does ISPConfig need to know (by some setting) that I want to use PHP as a cgi?
4) Did I go wrong somewhere?

[till]

1a) yes
1b) It does not work in .htaccess files too.
2) yes.
3) no, but you will have to deactivate the sfaemode checkboxes, as safemode is not supported in cgi-php.
4) no, just deactivate safemode in the website settings.

[RicochetPeter]

I took one of my webs and disabled safe_mode, and ISPConfig still uses "php_admin_flag safe_mode Off", so Apache will stumble over that config line again....

the vhost now looks like this:

Code:

<VirtualHost 85.85.85.85:80>
Include /etc/apache2/vhost_includes/bla.de.conf
ServerName www.bla.de:80
ServerAdmin webmaster@bla.de
DocumentRoot /var/www/web12/web
ServerAlias bla.de
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp
Default.htm default.htm
ScriptAlias  /cgi-bin/ /var/www/web12/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/web12/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
<Files *.php>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
<Files *.php3>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
<Files *.php4>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
<Files *.php5>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
php_admin_flag safe_mode Off
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Alias /error/ "/var/www/web12/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web12/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web12/user/$1/web/$3
</VirtualHost>

[till]

I'am not sure if the suphp setting is compatible with cgi-php, but its worth atry.

Please change the line:

$go_info["server"]["apache2_php"] = 'both';

to:

$go_info["server"]["apache2_php"] = 'suphp';

in the config.inc.php file, then edit your website settings so ISPConfig recreates your config files.

[RicochetPeter]

This gave me more Apache startup errors, complaining about "suPHP" settings.

Whatever,

I took directions on the web how to enable mod_php and php-cgi side by side so I can play a little...

A correct implementation for the needs I described in the beginning (php scripts run with the user/group of the web they're in) you need the following things:

- php(4|5)-cgi
- /etc/apache2/conf.d/php(4|5)-cgi config file like:

Code:

 Action         application/x-php4-cgi /cgi-bin/php4
 AddType        application/x-php4-cgi .cphp

- a link in /var/www/webxy/cgi-bin/ to /usr/lib/cgi-bin/php(4|5) (not symbolic)

and what's the most didfficult part:

- a self-compiled suexec binary (/usr/lib/apache2/suexec2) that will not complain about the ownership of the php cgi binary

Jeez, am I the first to want this scheme for the hosting users?

[till]

Then dont use the PHP cehckboxes at all and copy the lines:

Quote:

Action application/x-php4-cgi /cgi-bin/php4
AddType application/x-php4-cgi .cphp

In the apache directives field of the website.

Quote:

Jeez, am I the first to want this scheme for the hosting users?

No, but most users are using SuPHP instaed of SuExec, which works fine with ISPConfig.

[djamoer]

Hi guys,

Thanks to Till Brehm for setting up my server.
I'm confused on why the Suexec doesn't work on my server. I tried enabling it on the system setting and disable PHP Safe Mode on the site that I want to use Suexec on.

Is there anything that I did wrong? What should I do to check whether my server support Suexec or not?

Thanks

[till]

I Guess suexec is compiled into your server. Simply turning on SuEXEC does not mean tht PHP is now run as CGI, you will have to install a CGI PHP binary and add some additional apache configuration code to the apache directives field to enable php as CGI. If you want to use SuPHP, make sure that SuPHP is available for your linux distribution and enable SuPHP in the config.inc.php file.