Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 6th October 2007, 14:50
jmroth jmroth is offline
ISPConfig Developer
 
Join Date: Sep 2005
Posts: 191
Thanks: 1
Thanked 6 Times in 6 Posts
Default

Quote:
Originally Posted by tom
Why do you patch sussec, does'nt it work like for apache2 from its default?
I guess he patches it because php-fcgi-starter is owned by root, and we want this to be executed by suexec but not modifiable by the user. So what he wants to do is avoid error 120.
But when I try it, it already exits at error 107 with
Code:
[2007-10-06 14:17:42]: uid: (root/root) gid: (0/0) cmd: php-fcgi-starter
[2007-10-06 14:17:42]: cannot run as forbidden uid (0/php-fcgi-starter)
Quote:
Originally Posted by tom
Why do you adds www-data to every group created by ISPConfig?
I would be interested in that too!

Furthermore, with this tutorial, they forget to set e.g. AP_HTTPD_USER, which is for example mentioned here: http://www.howtoforge.com/forums/showthread.php?t=4606
Reply With Quote
Sponsored Links
  #22  
Old 7th October 2007, 21:29
jmroth jmroth is offline
ISPConfig Developer
 
Join Date: Sep 2005
Posts: 191
Thanks: 1
Thanked 6 Times in 6 Posts
Question

Ehm... seems to me that the present tutorial completely ignores the fact that one should set SuexecUserGroup in vhost config. !?
Reply With Quote
  #23  
Old 8th October 2007, 17:04
meemu meemu is offline
Member
 
Join Date: Apr 2007
Posts: 39
Thanks: 2
Thanked 8 Times in 5 Posts
Default

Quote:
Originally Posted by tom
Why do you adds www-data to every group created by ISPConfig?
We were looking for better security. Changing permissions of the vhost root (/var/www/webX) to 750 allows only the owner and group members to access any content of the web site. In order for apache to be still able to access content the apache user needs to be member of each web site group. But you don't need this just for php-fastcgi to work.

Quote:
Originally Posted by tom
I'm using apache2.0 together with php-fast-cgi and sussec on sarge3.1 but there was no need to cange something like you told. Is all this different with etch?
I haven't tried on sarge. I assume you didn't have to patch suexec on sarge?
Reply With Quote
  #24  
Old 8th October 2007, 17:09
meemu meemu is offline
Member
 
Join Date: Apr 2007
Posts: 39
Thanks: 2
Thanked 8 Times in 5 Posts
Default

Quote:
Originally Posted by jmroth
Ehm... seems to me that the present tutorial completely ignores the fact that one should set SuexecUserGroup in vhost config. !?
That's correct but I think that ispconfig creates that line in its vhosts file if suexec is enabled (both in apache and in ispconfig)
Reply With Quote
  #25  
Old 9th October 2007, 00:26
jmroth jmroth is offline
ISPConfig Developer
 
Join Date: Sep 2005
Posts: 191
Thanks: 1
Thanked 6 Times in 6 Posts
Default

Ah ok... it is not unimportant to know that Suexec should simply be enabled in ISPConfig... (and in Apache)

BTW I have created the previously mentioned diff (with context), could someone check that the patch is indeed correct (I made it against ISPconfig 2.2.16)

Code:
--- config.lib.php      2007-08-24 11:39:25.000000000 +0200
+++ /root/ispconfig_mods/scripts/lib/config.lib.php.fcgipatch   2007-10-08 09:57:42.000000000 +0200
@@ -1134,6 +1145,8 @@

   ///////////////// admispconfig der Gruppe hinzufügen ////////////////
   $mod->system->add_user_to_group("web".$doc_id);
+  // FASTCGI - added 1 line
+  //$mod->system->add_user_to_group("web".$doc_id,$apache_user);
   //////////////////// admispconfig der Gruppe hinzufügen ENDE //////////////

   $apache_user = $this->apache_user;
@@ -1142,8 +1155,11 @@
     exec("chown -R $apache_user:web$doc_id $web_path &> /dev/null");
     exec("chmod -R 775 $web_path");
     exec("chmod -R 775 $web_path_realname");
-    exec("chmod 755 $web_path");
-    exec("chmod 755 $web_path_realname");
+    // FASTCGI - comment 2 existing lines, added 2 lines
+    //exec("chmod 755 $web_path");
+    //exec("chmod 755 $web_path_realname");
+    exec("chmod 750 $web_path");
+    exec("chmod 750 $web_path_realname");
     exec("chmod 755 $web_path/user"); // user-Verzeichnis sollte nicht group-writable sein, weil Sendmail sonst warnings ausgeben könnte wg. der .forward-Datei
     exec("chmod 755 $web_path/log");
     exec("chmod 755 $web_path/ssl");
@@ -1403,11 +1419,25 @@
 AddHandler cgi-script .pl";

     if($web["web_php"]){
+      //FASTCGI (here we could add a handler for different versions of php and php.ini files
+      //FASTCGI Modification - added variable and if statement
+      $fcgip = $mod->system->server_conf["server_path_httpd_root"]."/php-fastcgi/"."web".$web["doc_id"];
+      if(!file_exists($fcgip."/php-fcgi-starter")) {
+       $mod->log->msg("creating $fcgip"."/php-fcgi-starter");
+       if(!file_exists($fcgip)) {
+         exec("mkdir -p $fcgip");
+       }
+       exec("cp -p /root/ispconfig/scripts/php-fcgi-starter ".$fcgip."/ && chown root:root ".$fcgip."/php-fcgi-starter");
+      }
       if($apache_version == 1){
-        $php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
+       // FASTCGI, commented 1 line, added 1 line
+        //$php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
+       $php = "ScriptAlias /php-fastcgi/ $fcgip/\n";
       }
       if($apache_version == 2){
-                  $php = '';
+       // FASTCGI, commented 1 line, added 1 line
+       //$php = '';
+       $php = "ScriptAlias /php-fastcgi/ $fcgip/\n";
                 if($go_info["server"]["apache2_php"] == 'addtype' or $go_info["server"]["apache2_php"] == 'both' or $go_info["server"]["apache2_php"] == 'suphp') {
                         $php .= "AddType application/x-httpd-php .php .php3 .php4 .php5\n";
                 }
@@ -1440,10 +1470,12 @@
                   $php .= "suPHP_AddHandler x-httpd-php\n";
           }

+         // FASTCGI, disabled if block
+         /*
           if($go_info["server"]["apache2_php"] != 'suphp') {
               if($web["web_php_safe_mode"]){
                 $php .= "\nphp_admin_flag safe_mode On
-php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/
+php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/:/usr/share:/usr/local/share:/etc/phpbb2:/etc/drupal:/tmp
 php_admin_value file_uploads 1
 php_admin_value upload_tmp_dir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/
 php_admin_value session.save_path ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/";
@@ -1451,6 +1483,8 @@
                 $php .= "\nphp_admin_flag safe_mode Off";
               }
         }
+         */
+         // FASTCGI - end disable if block
     } else {
       $php = "";
     }
Reply With Quote
  #26  
Old 9th October 2007, 02:15
jmroth jmroth is offline
ISPConfig Developer
 
Join Date: Sep 2005
Posts: 191
Thanks: 1
Thanked 6 Times in 6 Posts
Default

Quote:
Originally Posted by meemu
Quote:
Originally Posted by tom
I'm using apache2.0 together with php-fast-cgi and sussec on sarge3.1 but there was no need to cange something like you told. Is all this different with etch?
I haven't tried on sarge. I assume you didn't have to patch suexec on sarge?
Oh well currently there's no more sarge but etch out there.
I don't know if it works with standard suexec, I would guess it doesn't because apache runs as www-data and the fcgi-starter is owned by root. But I haven't tried.
Reply With Quote
  #27  
Old 6th December 2007, 17:59
andreas.stoeffer andreas.stoeffer is offline
Junior Member
 
Join Date: Dec 2007
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Permissions Group and Users

Hello to everyone,

first thanks for the good work.
Second I have a Question:

I think ispconfig did not set the Group and the User correct for the webs after patching the config.lib.php.

What are correct Groups and Users for different Webs?
Example: www-data:web3 or web3:web3 or nobody:web3?

In Vhostconfig the suexec user is nobody and the group i.e web3.
Is this O.K.?

Thanks for any suggestions
Andreas
Reply With Quote
  #28  
Old 6th December 2007, 18:10
meemu meemu is offline
Member
 
Join Date: Apr 2007
Posts: 39
Thanks: 2
Thanked 8 Times in 5 Posts
Default

You need an administrator user for the site. Then the nobody or www-data will go away.
Reply With Quote
  #29  
Old 7th December 2007, 06:53
andreas.stoeffer andreas.stoeffer is offline
Junior Member
 
Join Date: Dec 2007
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Permissions

O.K. after setting the dministrator nobody is blown away

But no I cannot access any site on the webspace. I get a 403 error "You don't have permission"

What can be wrong

Andreas
Reply With Quote
  #30  
Old 7th December 2007, 11:49
andreas.stoeffer andreas.stoeffer is offline
Junior Member
 
Join Date: Dec 2007
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Permissions Group and Users

Once again,

sorry but I have more Questions.

meemu, ist it possible to use your patch with ispconfig version 2.2.18?

And how I can apply the patch. May be I'm a little bit stupid, but with "patch -p1" ist is not possible.

When I want to cal "phpinfo()" I get a 500 Error an the log file say:
"[Fri Dec 07 11:39:57 2007] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web5/php-fcgi-starter" (pid 12344) terminated by calling exit with status '1'
[Fri Dec 07 11:39:57 2007] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web5/php-fcgi-starter" has failed to remain running for 30 seconds given 3 attempts, its restart interval has been backed off to 600 seconds
"
Any Ideas?

THanks fror your reply
Andreas
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fastcgi and php with ispconfig tosser Installation/Configuration 14 18th January 2009 13:41
Cron - PHP: Call to undefined function: gzinflate() safoo Server Operation 12 26th January 2007 17:49
fastCGI and PHP just wont work! meridianblade Server Operation 13 9th January 2007 18:30
fastcgi and php with ispconfig tosser Tips/Tricks/Mods 3 25th June 2006 21:01


All times are GMT +2. The time now is 11:52.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.