suPHP fails with mod 0600 on Debian Etch

Discussion in 'Installation/Configuration' started by berny, Mar 19, 2008.

  1. berny

    berny New Member

    Hello,

    I have an installation of ISPConfig 2.2.21 and have installed suPHP according to the howot found at http://www.howtoforge.com/install-suphp-on-various-linux-distributions-for-use-with-ispconfig-2.2.20-and-above

    suPHP now seems to be working well for php-scripts and textpattern sites when using 0664 access rights on files.

    However, I want to have 0600 so no ftp-user or shell-user can see files from another web. But if I give group and other no read rights apache throws an error 403.

    What do I need to do?

    Here is my config:


    From /etc/apache2/vhosts/Vhosts_ispconfig.conf:

    Code:
    ###################################
    #
    # ISPConfig vHost Configuration File
    #         Version 1.0
    #
    ###################################
    #
    NameVirtualHost xxx.xxx.xxx.249:80
    <VirtualHost xxx.xxx.xxx.249:80>
      ServerName localhost
      ServerAdmin root@localhost
      DocumentRoot /var/www/sharedip
    </VirtualHost>
    #
    #
    ######################################
    # Vhost: www.yyyy.de:80
    ######################################
    #
    #
    <VirtualHost xxx.xxx.xxx.249:80>
    SuexecUserGroup web1_ web1
    ServerName www.yyyy.de:80
    ServerAdmin webmaster@yyyy.de
    DocumentRoot /var/www/web1/web
    ServerAlias yyyy.de
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 i
    ndex.shtml index.cgi index.pl index.jsp Default.htm default.htm
    Alias  /cgi-bin/ /var/www/web1/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web1/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Directory /var/www/web1/web>
      suPHP_Engine on
      suPHP_UserGroup web1_ web1
      AddHandler x-httpd-php .php .php3 .php4 .php5
      suPHP_AddHandler x-httpd-php
      SetEnv php_safe_mode Off
    </Directory>
    Alias /error/ "/var/www/web1/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    </VirtualHost>
    

    If I access a file with 0600 (-rw-------) access rights, the browser shows an error 403 and I get an entry in /var/www/web1/log/error.log
    Code:
    [Wed Mar 19 19:29:40 2008] [error] [client xx.xxx.xxx.xx] (13)Permission denied: file permissions deny server access: /var/www/web1/web/index.html
    
    Partial Workaround:

    A partial workaround I have found so far is add the user www-data to the group of the web and set access-rights to 0660. The disadvantage is that www-data needs to be added manually to every group.
     
  2. falko

    falko Super Moderator

    Is web1_ the correct user name?
     
  3. berny

    berny New Member

    Yes it is. The user "web1_" has the admin-flag set in the ISPConfig web-interface and the user web1_ owns the directories and files.

    Code:
    zwei:/var/www/web1/web# ls -lha
    insgesamt 160K
    drwxrwxr-x 26 web1_ web1 4,0K 2008-03-20 18:15 .
    drwxr-xr-x  9 web1_ web1 4,0K 2008-03-19 18:37 ..
    
    [...]
    
    -rw-r----- 1 web1_ web1 52 2008-03-20 18:20 test.html
    
    [...]
    
    BTW, should the thread be moved into the ISPConfig-Installation/Configuration Forum?

    Thanks a lot.
     
  4. falko

    falko Super Moderator

    What's in /etc/suphp.conf?
     
  5. berny

    berny New Member

    The complete content of /etc/suphp.conf is:

    Code:
    [global]
    ;Path to logfile
    logfile=/var/log/suphp.log
    
    ;Loglevel
    loglevel=info
    
    ;User Apache is running as
    webserver_user=www-data
    
    ;Path all scripts have to be in
    docroot=/
    
    ;Path to chroot() to before executing script
    ;chroot=/mychroot
    
    ; Security options
    allow_file_group_writeable=true
    allow_file_others_writeable=false
    allow_directory_group_writeable=true
    allow_directory_others_writeable=false
    
    ;Check wheter script is within DOCUMENT_ROOT
    check_vhost_docroot=true
    
    ;Send minor error messages to browser
    errors_to_browser=false
    
    ;PATH environment variable
    env_path=/bin:/usr/bin
    
    ;Umask to set, specify in octal notation
    umask=0077
    
    ; Minimum UID
    min_uid=100
    
    ; Minimum GID
    min_gid=100
    
    [handlers]
    ;Handler for php-scripts
    x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper
    
    ;Handler for CGI-scripts
    x-suphp-cgi=execute:!self
    
     
  6. falko

    falko Super Moderator

    Looks ok.
    I couldn't find anything about it on the web, but I think that Apache still needs read access to the files.
     

Share This Page