PHP write permissions

Discussion in 'Installation/Configuration' started by RicochetPeter, Sep 20, 2006.

  1. RicochetPeter

    RicochetPeter Member

    Hi folks,

    I have some sort of permission problem regarding php wanting to change/create files:

    Imagine I have a web at /var/www/web1/web:
    drwxrwxr-x   7 web1_benjamin web1 4096 2006-07-12 20:52 web
    which obviously belongs to web1_benjamin.

    Now, any php script residing in this (or any deeper) directory that wants to create or modify files will spit out an error:
    Warning: touch() [function.touch]: Unable to create file test.txt because Permission denied in /var/www/web1/web/test/test.php on line 5
    PHP will succeed in creating/modifying files when I either chmod a+w or chgrp www-data the directory. The first is not really desired (I'd actually like ISPConfig to create directories w/o any rights for others....) and the second means handwork.
    Secondly, the created files are user www-data and group www-data:
    -rw-r--r--   1 www-data    www-data    0 2006-09-20 21:33 test.txt

    OK, let's sum it up:
    1. How do I make ISPConfig create directories rwxrwx--- when it sets up a web
    2. How do I make Apache/PHP use the user/group of the web it's working in to create/modify files?

    PS: this is ISPConfig 2.2.0, running on Ubuntu 5.10
    Last edited: Sep 20, 2006
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) you will have to change the sources for this.

    2) Run PHP with suPHP or as cgi with suexec instead of mod_php, so the php scripts will run under the admin user of the website. You will have to update to ISPConfig 2.2.6 to be able to use suPHP together with ISPConfig.
  3. RicochetPeter

    RicochetPeter Member

    I upgraded to 2.2.6 (seems to be working just fine), and also tried to switch from PHP5 as a module to PHP5 as a CGI.

    Starting Apache gives me this error:
    Invalid command 'php_admin_flag', perhaps mis-spelled or defined by a module not included in the server configuration
    Many questions:

    1a) Do I understand this correctly, that php_admin_flags can only be put in the apache config files when PHP is a module?
    1b) Should they be in a .htaccess if PHP is a cgi?
    2) Do I have to activate the "Suexec" option in Management->Server->Settings?
    3) Does ISPConfig need to know (by some setting) that I want to use PHP as a cgi?
    4) Did I go wrong somewhere?
    Last edited: Sep 21, 2006
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    1a) yes
    1b) It does not work in .htaccess files too.
    2) yes.
    3) no, but you will have to deactivate the sfaemode checkboxes, as safemode is not supported in cgi-php.
    4) no, just deactivate safemode in the website settings.
  5. RicochetPeter

    RicochetPeter Member

    I took one of my webs and disabled safe_mode, and ISPConfig still uses "php_admin_flag safe_mode Off", so Apache will stumble over that config line again....

    the vhost now looks like this:
    Include /etc/apache2/vhost_includes/
    ServerAdmin [email protected]
    DocumentRoot /var/www/web12/web
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.jsp
    Default.htm default.htm
    ScriptAlias  /cgi-bin/ /var/www/web12/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web12/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Files *.php>
        SetOutputFilter PHP
        SetInputFilter PHP
    <Files *.php3>
        SetOutputFilter PHP
        SetInputFilter PHP
    <Files *.php4>
        SetOutputFilter PHP
        SetInputFilter PHP
    <Files *.php5>
        SetOutputFilter PHP
        SetInputFilter PHP
    php_admin_flag safe_mode Off
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Alias /error/ "/var/www/web12/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web12/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web12/user/$1/web/$3
    Last edited: Sep 22, 2006
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I'am not sure if the suphp setting is compatible with cgi-php, but its worth atry.

    Please change the line:

    $go_info["server"]["apache2_php"] = 'both';


    $go_info["server"]["apache2_php"] = 'suphp';

    in the file, then edit your website settings so ISPConfig recreates your config files.
  7. RicochetPeter

    RicochetPeter Member

    This gave me more Apache startup errors, complaining about "suPHP" settings.


    I took directions on the web how to enable mod_php and php-cgi side by side so I can play a little...

    A correct implementation for the needs I described in the beginning (php scripts run with the user/group of the web they're in) you need the following things:

    - php(4|5)-cgi
    - /etc/apache2/conf.d/php(4|5)-cgi config file like:
     Action         application/x-php4-cgi /cgi-bin/php4
     AddType        application/x-php4-cgi .cphp
    - a link in /var/www/webxy/cgi-bin/ to /usr/lib/cgi-bin/php(4|5) (not symbolic)

    and what's the most didfficult part:

    - a self-compiled suexec binary (/usr/lib/apache2/suexec2) that will not complain about the ownership of the php cgi binary

    Jeez, am I the first to want this scheme for the hosting users?
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Then dont use the PHP cehckboxes at all and copy the lines:

    In the apache directives field of the website.

    No, but most users are using SuPHP instaed of SuExec, which works fine with ISPConfig.
  9. djamoer

    djamoer New Member

    My server still unable to use Suexec

    Hi guys,

    Thanks to Till Brehm for setting up my server.
    I'm confused on why the Suexec doesn't work on my server. I tried enabling it on the system setting and disable PHP Safe Mode on the site that I want to use Suexec on.

    Is there anything that I did wrong? What should I do to check whether my server support Suexec or not?

  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I Guess suexec is compiled into your server. Simply turning on SuEXEC does not mean tht PHP is now run as CGI, you will have to install a CGI PHP binary and add some additional apache configuration code to the apache directives field to enable php as CGI. If you want to use SuPHP, make sure that SuPHP is available for your linux distribution and enable SuPHP in the file.
  11. djamoer

    djamoer New Member

    Thank Til,

    I'm still wondering on the difference between suPHP and suexec, and phpsuexec. If someone could point me to the right direction on how to get the comparison for all these things that will be great. From what I can understand, there is no need to run suexec, because suphp run faster and it also run as the owner of the site, so there is no need to chmod file into 777, while in suexec, I believe it's more secured and slower. Am I correct?

    I'll do my homework by searching through this forum on how to run suphp with ispconfig, but if someone can guide me through this, it will be AWESOME.

    Thank you guys for this great software. I'm not a linux user, but I'm starting to get used with linux command line, lol :D
  12. falko

    falko Super Moderator ISPConfig Developer

  13. djamoer

    djamoer New Member

    Yes I did Falko, in fact I figured out that SuPHP is not compatible with Apache 2.2, am I correct?

    I might be able to compile PHP-CGI binary to run as an alternative of using PHP module, but to be honest, compiling the binary is a lot of hassle, considering myself as not a linux user, lol....

    I would prefer to have SuPHP installed, so by default all php will run by its own permission. Could you justified my above statement regarding compatibility issue? My Apache version is Apache 2.2.2 which run under Fedora Core 5.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, I think so. There are still lots of modules missing for apache 2.2

    PHP-CGI binaries come with most linux distributions, you dont have to compile them yourself.
  15. djamoer

    djamoer New Member

    So do you guys think it's worth a try to down grade apache server from 2.2 to 2.1 maybe, so that I'll be able to use SuPHP? Or do you think it's better to just use SuExec?

    Btw Till, do you know where is the exact location on how to get the binary file for php-cgi on Fedora Core 5? Sorry for being such a noob...
    I also wonder about the checkbox for enabling SuEXEC on the server setting. What is it for? Will it make a difference if I check or uncheck the checkbox?

    Thanks for all the reply guys....
  16. falko

    falko Super Moderator ISPConfig Developer

    You can find out by running
    locate php5
    If you enable suExec, ISPConfig will enable suExec for each vhost.

Share This Page