typo3 mit ispconfig3 / suexec

Discussion in 'Installation/Configuration' started by bn61, Mar 4, 2010.

  1. bn61

    bn61 New Member

    Hi,
    I have setup an apache (SUExec/fcgi) with the help of ISPConfig3.
    In order to find a suitable solution I started off with the typo3 sources within the webserver directory.
    When I try calling the typo3 backend I get the following error:
    Code:
    [B]Warning:[/B] fopen() [function.fopen]: open_basedir restriction in effect.
    File(/var/www/BLABLA/web/typo3temp/llxml/misc.xml_f45d73fa32.de.iso-8859-1.cache)
    is not within the allowed path(s):
    (/var/www/BLABLA/:/var/www/clients/client2/web2/)
    in /var/www/clients/client2/web2/web/t3lib/class.t3lib_div.php  on line 2752
    
    [B]Warning:[/B]
    fopen(/var/www/BLABLA/web/typo3temp/llxml/misc.xml_f45d73fa32.de.iso-8859-1.cache)
    [function.fopen]: failed to open stream: 
    Operation not permitted in /var/www/clients/client2/web2/web/t3lib/class.t3lib_div.php on line 2752
    
    ERROR: File not written to disk! Write permission error in filesystem?
    Clearly this error message contradicts itself since the file in question is in the directory that is defined in the open_basedir statement.
    Any ideas?
     
  2. till

    till Super Moderator

    Are all files and folders owned by the user and group of the website?
     
  3. bn61

    bn61 New Member

    Yes, every single one.
     
  4. bn61

    bn61 New Member

    addendum: my config files

    /etc/apache2/sites-available/BLABLA.vhost:
    Code:
    <Directory /var/www/BLABLA>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <VirtualHost *:80>
          DocumentRoot /var/www/BLABLA/web
    
        ServerName BLABLA
        ServerAdmin webmaster@BLABLA
    
        ErrorLog /var/log/ispconfig/httpd/BLABLA/error.log
    
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 503 /error/503.html
    
        <Directory /var/www/BLABLA/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client2/web2/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # cgi enabled
            <Directory /var/www/clients/client2/web2/cgi-bin>
          Order allow,deny
          Allow from all
        </Directory>
        ScriptAlias  /cgi-bin/ /var/www/clients/client2/web2/cgi-bin/
        AddHandler cgi-script .cgi
        AddHandler cgi-script .pl
        # suexec enabled
        SuexecUserGroup web2 client2
        # php as fast-cgi enabled
        <Directory /var/www/BLABLA/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web2/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride all
            Order allow,deny
            Allow from all
        </Directory>
    </VirtualHost>
    /var/www/php-fcgi-scripts/web2/.php-fcgi-starter
    Code:
    #!/bin/sh
    PHPRC="/etc/php5/cgi/"
    export PHPRC
    PHP_DOCUMENT_ROOT="/var/www/clients/client2/web2"
    export PHP_DOCUMENT_ROOT
    # The variable PHP_FCGI_CHILDREN is onyl useful for lighty or nginx as apache
    # mod_fcgi will control the number of childs themself and never use the additional processes.
    # PHP_FCGI_CHILDREN=8
    # export PHP_FCGI_CHILDREN
    PHP_FCGI_MAX_REQUESTS=5000
    export PHP_FCGI_MAX_REQUESTS
    exec /usr/bin/php-cgi \
     -d open_basedir=[COLOR="#008000"]/var/www/BLABLA/:[/COLOR]/var/www/clients/client2/web2/ \
    -d upload_tmp_dir=/var/www/clients/client2/web2/tmp \
    -d session.save_path=/var/www/clients/client2/web2/tmp \
    [COLOR="Green"]-d memory_limit="64M" \
    -d IPCCommTimeout=60 \[/COLOR]
     $1
    (the green parts are manually changed by me)

    Code:
    server:/var/www/clients/client2/web2/web# [B]ls -l[/B]
    total 368
    drwxr-xr-x  2 web2 client0    111 2010-02-26 18:44 error
    drwxr-xr-x  7 web2 client0   4096 2010-03-03 22:22 fileadmin
    -rw-r--r--  1 web2 client0  18348 2008-01-29 11:27 GPL.txt
    -rw-r--r--  1 web2 client0     13 2008-02-08 11:01 index.htm
    -rw-r--r--  1 web2 client0   2903 2008-01-29 11:27 index.php
    drwxr-xr-x  3 web2 client0   4096 2010-03-02 18:32 misc
    -rwxr-xr--  1 web2 client0     34 2010-02-26 18:44 robots.txt
    drwxr-xr-x  2 web2 client0   4096 2010-03-03 00:30 stats
    drwxr-xr-x  7 web2 client0   4096 2010-03-03 19:06 t3lib
    drwxr-xr-x 13 web2 client0   4096 2010-03-03 11:21 typo3
    drwxrwxrwx  5 web2 client0   4096 2010-03-03 22:22 typo3conf
    drwxrwxrwx 11 web2 client0  20480 2010-03-03 22:22 typo3temp
    drwxr-xr-x 14 web2 client0   4096 2010-03-03 22:22 uploads
     
  5. till

    till Super Moderator

    The permissions do not look right. It seems as if you moved the site to another client without changing the owner of the files. Please post the output of:

    ls -la /var/www/clients/client2/web2/web
     
  6. bn61

    bn61 New Member

    yes, I just saw that the group rights were not correct and changed them to client2. unfortunately that gave me the same results.

    anyway here is the results of ls -la /var/www/clients/client2/web2/web
    Code:
    -rw-r--r--  1 web2 client2 215227 2008-01-29 11:27 ChangeLog
    -rw-r--r--  1 web2 client2   4690 2008-03-07 17:08 dmailerd.php
    drwxr-xr-x  2 web2 client2    111 2010-02-26 18:44 error
    drwxr-xr-x  7 web2 client2   4096 2010-03-03 22:22 fileadmin
    -rw-r--r--  1 web2 client2  18348 2008-01-29 11:27 GPL.txt
    -rw-r--r--  1 web2 client2    535 2010-03-03 14:30 .htaccess
    -rw-r--r--  1 web2 client2     13 2008-02-08 11:01 index.htm
    -rw-r--r--  1 web2 client2   2903 2008-01-29 11:27 index.php
    drwxr-xr-x  3 web2 client2   4096 2010-03-02 18:32 misc
    -rwxr-xr--  1 web2 client2     34 2010-02-26 18:44 robots.txt
    drwxr-xr-x  2 web2 client2   4096 2010-03-03 00:30 stats
    drwxr-xr-x  7 web2 client2   4096 2010-03-03 19:06 t3lib
    drwxr-xr-x 13 web2 client2   4096 2010-03-03 11:21 typo3
    drwxrwxrwx  5 web2 client2   4096 2010-03-03 22:22 typo3conf
    drwxrwxrwx 11 web2 client2  20480 2010-03-03 22:22 typo3temp
    drwxr-xr-x 14 web2 client2   4096 2010-03-03 22:22 uploads
    
     
  7. bn61

    bn61 New Member

    I took a look at my suexec.log:
    Code:
    [2010-03-04 19:33:10]: uid: (5005/web4) gid: (5008/5008) cmd: .php-fcgi-starter
    The thing that caught my eye is the "mismatch" of the uid. (5005 and web4 are the same user)
    Could that be the problem? And if so, where does it stem from?
     
  8. till

    till Super Moderator

    The log line looks fine. You should install a phpinfo file and check the open basedir setting with it.
     
  9. bn61

    bn61 New Member

    The open_basedir entry in the phpinfo shows exactly what it is supposed to:

    /var/www/BLABLA:/var/www/clients/client4/web4

    (Don't worry about "client4/web4". I have setup a new webs, just to be on the safe side.)
     
  10. till

    till Super Moderator

    Do you use the symlinked setup in typo3? In this case it might be that some symlinks are wrong. I have several typo3 installs on my server and never had a problem with installing them, but I always use the setup without symlinks.
     
  11. bn61

    bn61 New Member

    It was my intention to do that, but in order to locate the problem I changed it to the regular install without symlinks.

    I tried without open_basedir. That works fine. I'm just not sure if I the risk is to high.
     
  12. till

    till Super Moderator

    In your posts you replaced your domain with BLABLA so I can not see if the paths are really correct. Please make sure that BLABLA is a normal domain name like example.com completely in lower case. Linux is case sensitive, so a path /var/www/Domain.com/ is a completely different directory then /var/www/domain.com/
     
  13. bn61

    bn61 New Member

    Yes, I am aware of that. Capitals seemed to be a good way to emphasize that it is just a placeholder.
     
  14. till

    till Super Moderator

    Hmmm, really strange. Please try:

    chmod -R 777 /var/www/BLABLA/web/typo3temp
     
  15. bn61

    bn61 New Member

    Did the chmod in an act of desparation a while ago. Sadly no change.

    One step closer:
    The problem seems to be that the process can not create a file with
    fopen($file,'wb')
    If the targeted file exists than there is no problem.
     
  16. till

    till Super Moderator

    Then it must be a permission problem of that directory. Please post the output of:

    ls -la /var/www/BLABLA/web/typo3temp/llxml/
     
  17. bn61

    bn61 New Member

    I think I am ok there:
    Code:
    server:/# ls -la /var/www/BLABLA/web/typo3temp/llxml/ | more
    total 12152
    drwxrwxrwx  2 web4 client4 98304 2010-03-03 22:22 .
    drwxrwxrwx 11 web4 client4 20480 2010-03-03 22:22 ..
    -rwxrwxrwx  1 web4 client4   915 2008-10-22 15:57 alt_doc.xml_252cd6585d.default.iso-8859-1.cache
    -rwxrwxrwx  1 web4 client4   979 2008-02-12 13:10 alt_doc.xml_252cd6585d.de.iso-8859-1.cache
    -rwxrwxrwx  1 web4 client4   979 2008-01-29 11:36 alt_doc.xml_2ab5fdf6ac.de.iso-8859-1.cache
    .
    .
    and so on
     
  18. bn61

    bn61 New Member

    Ok, it seems to reject only absolute paths. It works fine with relative paths.
    But since I really do not intend to rewrite the TYPO3 sources I am going to accept my fate and go without open_basedir for now.
    I will let you know when I find a real solution.

    Thanks for bearing with me for so long.
     
  19. Hans

    Hans Moderator

    If you use the symlink setup, in ISPConfig3 you need extend the content of the php-openbasedir line for the website with:

    :/var/www/typo3_src-4.3.3

    In case your TYPO3 version 4.3.3 source is at /var/www/typo3_src-4.3.3.
    Then you can run TYPO3 with a central source with FAST-CGI enabled for example.
     

Share This Page