Permissions problem when updating websites on Debian 8.10 and ISPConfig 3.1.13

Discussion in 'Installation/Configuration' started by MSIU, Aug 23, 2018.

  1. MSIU

    MSIU New Member

    Hello,
    I have a problem when updating websites. When I edit the site settings in ISPConfig and save them, the site directory permissions change to Unknown User and Group and I have to manually reset the permissions. Statistics, wedav and PHP Fast CGI will stop working. I use Debian 8.10 and ISPConfig 3.1.13. I installed under the instructions of The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1) on howtoforge.com and according to the instructions of Installing Web, Email & MySQL Database Cluster on Debian 8.4 Jessie with ISPConfig 3.1 in ISPConfig 3.1 Manual. I have also set up my server settings according to the ISPConfig 3.1 Manual, no script editing, and so on. Other services work smoothly. Settings in System - Server Config - Web Tab are:

    Sef folder permissons on update: OFF
    Make web folders immutable (extended attributes): ON
    Add web users to -sshusers- group: ON
    Connect Linux userid to webid: ON
    Start ID for userid/webid connect: 10000

    Did someone meet a similar problem, or advise how to fix it?

    Thank you in advance
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Post the "ls -la" output from the web die with wrong permissions and then one after you fixed it. You mentioned that you used two different tutorials, each of them is for a different kind of setup and contains all necessary steps which lead me to the question what kind of setup you use, a multiserver mirror or a single server system?
     
  3. MSIU

    MSIU New Member

    This is mirrored setup, where server2 is mirror of server1.

    Wrong permissions site after update in ISPconfig:

    [email protected]:~# ls -la /var/www/clients/client1/web11
    celkem 44
    drwxr-xr-x 11 root root 4096 říj 22 2017 .
    drwxr-xr-x 12 root root 4096 zář 6 2017 ..
    drwxr-xr-x 2 10011 10009 4096 říj 22 2017 backup
    drwxr-xr-x 2 root root 4096 čec 31 2017 cgi-bin
    drwxr-xr-x. 2 root root 4096 srp 24 08:25 log
    drwx--x--- 2 10011 10009 4096 čec 31 2017 private
    drwx------ 2 10011 10009 4096 říj 18 2017 .ssh
    drwxr-xr-x 2 root root 4096 srp 2 09:32 ssl
    drwxr-xr-x 2 root root 4096 čec 31 2017 tmp
    drwxr-xr-x 7 root root 4096 čec 31 2017 web
    drwxr-xr-x 2 root root 4096 čec 31 2017 webdav

    Another site after fixing permissions:

    [email protected]:~# ls -la /var/www/clients/client1/web1
    celkem 188
    drwxr-xr-x 12 root root 4096 říj 22 2017 .
    drwxr-xr-x 12 root root 4096 zář 6 2017 ..
    drwxr-xr-x 2 web1 client1 4096 úno 14 2018 backup
    drwxr-x--x 6 web1 client1 4096 srp 7 08:52 blog
    drwxr-xr-x 2 web1 client1 4096 čec 25 2017 cgi-bin
    drwxr-xr-x. 4 root root 4096 srp 24 06:29 log
    drwx--x--- 2 web1 client1 4096 čec 25 2017 private
    drwx------ 2 web1 client1 4096 říj 18 2017 .ssh
    drwxr-xr-x 2 root root 4096 čec 25 2017 ssl
    drwxrwx--- 2 web1 client1 143360 srp 24 08:55 tmp
    drwxr-x--x 20 web1 client1 4096 čec 30 2017 web
    drwx--x--- 6 web1 client1 4096 bře 20 10:24 webdav

    ISPConfing was gradually upgraded from version 3.1.5 I think.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The permissions of sites do not get altered in ISPConfig update, so my guess is that its a timely coincident. What I guess is that you have changed the security level under system > server config from high to medium. change it back to high.

    Another possibility is that there is an issue in your mirror setup and rsync changes the permissions. Or your passwd and shadow and group file on the new server is missing users or groups e.g. when you setup the mirror not at install time of the new server.
     
    Last edited: Aug 24, 2018
  5. MSIU

    MSIU New Member

    No, I have not change this option, but I update server config now and without succes
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I posted you 3 possible reasons.
     
  7. MSIU

    MSIU New Member

    The mirror was fresh Debian installation
     
  8. MSIU

    MSIU New Member

    I chack all checboxes in Resync Tool. I assume, that may be issuse with users and shadows in sync, ho to fix it?
     
  9. MSIU

    MSIU New Member

    Very sorry.
     
  10. MSIU

    MSIU New Member

    Same site with wrong permissions on mirror:

    [email protected]:~# ls -la /var/www/clients/client1/web11
    celkem 44
    drwxr-xr-x 11 root root 4096 úno 18 2018 .
    drwxr-xr-x 12 root root 4096 úno 13 2018 ..
    drwxr-xr-x 2 web11 client1 4096 úno 18 2018 backup
    drwxr-xr-x 2 root root 4096 úno 13 2018 cgi-bin
    drwxr-xr-x 2 root root 4096 srp 24 00:06 log
    drwx--x--- 2 web11 client1 4096 úno 13 2018 private
    drwx------ 2 web11 client1 4096 úno 13 2018 .ssh
    drwxr-xr-x 2 root root 4096 srp 2 09:33 ssl
    drwxr-xr-x 2 root root 4096 úno 13 2018 tmp
    drwxr-xr-x 7 root root 4096 úno 13 2018 web
    drwxr-xr-x 2 root root 4096 úno 13 2018 webdav

    The /backup /private and /.ssh dirs are good on mirror, on master was wrong.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to compare the /etc/passwd and /etc/group files of the servers, do the web* users and client* groups differ in these files on the two servers?
     
  12. MSIU

    MSIU New Member

    Yes, it do:
    File with 1 is from master server, without 1 is from mirror. I assume thet from master is OK and from mirror is wrong:

    [email protected]:/etc# diff passwd passwd1
    42a43,52
    > web1:x:5004:5005::/var/www/clients/client1/web1:/bin/false
    > web2:x:5005:5005::/var/www/clients/client1/web2:/bin/false
    > web5:x:5006:5005::/var/www/clients/client1/web5:/bin/false
    > web7:x:5007:5005::/var/www/clients/client1/web7:/bin/false
    > web9:x:5008:5005::/var/www/clients/client1/web9:/bin/false
    > web10:x:5009:5005::/var/www/clients/client1/web10:/bin/false
    > web11:x:5010:5005::/var/www/clients/client1/web11:/bin/false
    > web12:x:5011:5005::/var/www/clients/client1/web12:/bin/false
    > web13:x:5012:5005::/var/www/clients/client1/web13:/bin/false
    > web14:x:5013:5005::/var/www/clients/client1/web14:/bin/false
    44,53d53
    < web9:x:10009:10009::/var/www/clients/client1/web9:/bin/false
    < web1:x:10006:10009::/var/www/clients/client1/web1:/bin/false
    < web7:x:10008:10009::/var/www/clients/client1/web7:/bin/false
    < web10:x:10010:10009::/var/www/clients/client1/web10:/bin/false
    < web2:x:10002:10009::/var/www/clients/client1/web2:/bin/false
    < web13:x:10013:10009::/var/www/clients/client1/web13:/bin/false
    < web11:x:10011:10009::/var/www/clients/client1/web11:/bin/false
    < web5:x:10005:10009::/var/www/clients/client1/web5:/bin/false
    < web14:x:10014:10009::/var/www/clients/client1/web14:/bin/false
    < web12:x:10012:10009::/var/www/clients/client1/web12:/bin/false

    [email protected]:/etc# diff group group1
    68c68
    < sshusers:x:5002:web9,web1,web7,web10,web2,web13,web11,web5,web14,web12
    ---
    > sshusers:x:5002:web1,web2,web5,web7,web9,web10,web11,web12,web13,web14
    71,72c71,72
    < ispconfigend:x:20000:
    < client1:x:10009:www-data
    \ Chybí znak konce řádku na konci souboru
    ---
    > client1:x:5005:www-data
    > ispconfigend:x:20000:

    How to safely fix this on production server, please?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    My guess is that you changed one of these two options:

    Connect Linux userid to webid: ON
    Start ID for userid/webid connect: 10000

    after you had already added sites on the first server or you did not set the same options for both servers or you might not added the mirror server at the beginning, so your first server contained sites that are not on the mirror.

    To fix that now, you must copy the web* users from passwd and sahdow file from master and replace the ones on the slave, then do the same with the client* groups in group and gshadow file. but copy only the web* user and client* lines, not the whole files.
     
  14. MSIU

    MSIU New Member

    I added a mirror to an existing master server with websites and then enabled the Connect Linux userid to webid, the other options I did not change and were the same for both servers.

    So I will do the repair:

    Transfer the web* user from the master server to passwd and shadow file, client * groups in group and gshadow file on mirror. I restart the mirror. The options in the Config / Web Server will be:

    Make web folders immutable (extended attributes): ON
    Add web users to -sshusers- group: ON
    Connect Linux userid to webid: ON
    Start ID for userid / webid connect: 10000

    Am I correct?

    Can I use the option Sef folder permissons on update on mirrored setup?
     
  15. MSIU

    MSIU New Member

    I have found that neither the master server nor the mirror there are no all clients in shadow, group, gshadow, and passwd. I have three clients and included only one. So I will probably have to add missing clients manually? Client ID 1 has Group ID 10009 on the system. What is the correct group ID in the system for ISPConfig, is this 1000 + ID of the client?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Clients are not in the shadow and password file. clients exist only in the group and gshadow file. Website users exist in passwd and shadow file. and if the other two clients have no websites assigned, then they will not be in the group file as well. The ID's are chosen by the Linux system, unless you have manually set the connect userid to web id with a fixed starting number.
     
  17. MSIU

    MSIU New Member

    Yes, just gshadow and group, I'm sorry. Thank you for the explanation.
     
  18. MSIU

    MSIU New Member

    Thanks a lot, everything works perfectly. I only have a problem with site stats when using AWStats. When I visit domain.tld/stats, enter the admin username and the correct password, I will see 404 error and the Apache log is:

    [Thu Sep 06 10:44:02.064521 2018] [authz_core:error] [pid 155056] [client xxx.xxx.xxx.xxx:52861] AH01630: client denied by server configuration: /var/www/domain.tld/web/stats/index.php

    Symlink /var/www.domain.tld/web/stats exists and stats directory has owner of website owner and client group with permissions 755 and index.php has the same owner with permissions 644. I wait more then 48 hours to AWStats collect data. I use Suexec and no manual site config file.
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you see the current log data in the access.log file in /var/www/domain.tld/log/ ?
     
  20. MSIU

    MSIU New Member

    Yes, here it is:

    xxx.xxx.xxx.xxx - - [07/Sep/2018:09:20:15 +0200] "GET /stats/ HTTP/1.1" 401 2148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
    xxx.xxx.xxx.xxx - - [07/Sep/2018:09:20:29 +0200] "GET /stats/ HTTP/1.1" 403 2102 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
    xxx.xxx.xxx.xxx - - [07/Sep/2018:09:20:30 +0200] "GET /favicon.ico HTTP/1.1" 404 2098 "http://www.domain.tld/stats/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3
     

Share This Page