write access to wwwrun/www-data in users DocumentRoot

Discussion in 'Installation/Configuration' started by st2xo, Feb 6, 2006.

  1. st2xo

    st2xo New Member

    Hi everybody - it´s monday and the problems are with me, again :(
    Is there a - practicable - way to give apache/mod_php write access to the users public web directorys?

    I have to make the users public web directories write accessible for wwwrun (or www-data). With the default ISPconfig installation (Suse10, perfect setup) that is´nt possible (or I´m wrong?). So I made following changes and it works:

    Add user wwwrun to the web10-group
    groupmod --add-user wwwrun web10
    make web10-dir writeable for all group members
    chmod 775  /home/www/web10
    make web-dir writeable for everybody
    chmod 777  /home/www/web10/web
    (actual it should be enough to give 775 - but it isn´t and I dont understand why - but for the asked problem I will ignore this at this time)

    That works - but isnt very smart of course.
    At last it is now very unsecure to give users shell access because all users would have write access to the directories from the other users :( But that is for me the smaller problem, so would´nt give shell access.

    Now I would go to patch the ispconfig scripts which create the users directories and would set the above values with chmod/chown and so on.

    So my questions:
    - which ISPConfig script/s I have to patch?
    - is there another way to give write access to the public dirs?

    thanks in advance!
  2. st2xo

    st2xo New Member

    something I forgot - these solutions are working, I know, but they´re would be a compromise only:

    - to run the php script as cgi (additional to the mod_php) is not the preferred solutions
    - http://www.suphp.org

    is there another solution?
  3. falko

    falko Super Moderator ISPConfig Developer

    The xript is /root/ispconfig/scripts/lib/config.lib.php. Look at the function make_docroot() (around line 966).
  4. st2xo

    st2xo New Member

    Thank you Falko - I think I first check out su_php. If that do not work I like, I´ll patch the file (but probably it will ...)
    If somebody else could use this info: the two rows on line 1083 should be changed from
    exec("chown -R [B]$apache_user[/B]:web$doc_id $web_path_realname &> /dev/null");
    exec("chown -R [B]$apache_user[/B]:web$doc_id $web_path &> /dev/null");
    exec("chown -R [B]wwwrun[/B]:web$doc_id $web_path_realname &> /dev/null");
    exec("chown -R [B]wwwrun[/B]:web$doc_id $web_path &> /dev/null");
    sometimes wwwrun is www-data - check this out before! This is not tested!

    there is a very strange thing I observed:
    is there any process that checks every 1-2 minutes the file owners in /home/www and makes changes on it?

    I added one user manually with useradd, this user has now the uid 10028 (this is the highest number in /etc/passwd but not the last entry).

    Now, a web directory /www/web22 is being permanently changed to xyz.web22 (where xyz is the user with uid 10028). All other dirs in /www are untouched.

    (the /www/web22 directory is the second last web, so the last is web23)
    Do you know what this could be?
    Last edited: Feb 6, 2006
  5. falko

    falko Super Moderator ISPConfig Developer

    $apache_user contains the Apache user - in your case wwwrun, so there's no need to change this.

    By default ISPConfig creates users with UIDs above 10000. When you add users manually, you should use UIDs below 10000. What happened on your system is this:
    You created users with ISPConfig up to the UID 10027. Then you added a user manually; because you did not specify a certain UID, the user got the UID 10028.
    Then you created the next user in ISPConfig. Because ISPConfig doesn't know that you created another user manually in the meantime, the new user gets the UID 10028. And voilà, you have two users with conflicting UIDs.
    You should assign another UID (below 10000) to your manually created user.
  6. st2xo

    st2xo New Member

    mhmh, then its even more strange on my system - the web-directories in /home/www are owned by the user with administrator-Checkbox in User&Email-Settings.

    Directories created by ISPconfig without any changes from me (I did´nt patched the config.lib.php file) are like this:
    drwxr-xr-x  10 web18_stefan    web18 4.0K Feb  3 15:17 web18/
    drwxr-xr-x  10 web18_stefan    web18 4.0K Feb  3 15:17 www.XYZ.de/
    If I deselect the admin-Checkbox the file owner changes immediately to
    drwxr-xr-x  10 root            web18 4.0K Feb  7 09:51 web18/
    drwxr-xr-x  10 root            web18 4.0K Feb  7 09:51 www.XYZ.de/
    If now selected another user as admin the file owner changes again
    drwxr-xr-x  10 web18_test2     web18 4.0K Feb  7 09:55 web18/
    drwxr-xr-x  10 web18_test2     web18 4.0K Feb  7 09:55 www.XYZ.de/
    So there´s is no wwwrun user set and without set any admin-checkox root is owner of the dirs (but that seems to be correct?!)
    Setting wwwrun as as the owner of alle files by ISPConfig-default would be solve all my problems :D How can I make that? Or whats going wrong there?
    (the perfect setup was installed fine on a brandnew suse10-OS, all default, no errors, no strange things)

    thanks! That´s it. I changed the uid manually in /etc/passwd. After exiting vi the owner from this one directory was already fixed. Now I remember that somewhere I read this thing with the uid upper than 10000 :rolleyes:
  7. falko

    falko Super Moderator ISPConfig Developer

    That's the way it is intended. If a web site has an admin, then the admin owns these directories. If there's no admin, then the directories should be owned by the Apache user.

    root is not ok. Then something's strange on your system...

    You can change the code and hard-code wwwrun into it.
  8. st2xo

    st2xo New Member

    I changed the code to wwwrun on a few positions around line 1081, in make_docroot() with no result.

    Even if wwwrun is hardcoded, e.g. set as
    $apache_user = "wwwrun"; #$this->apache_user;
    (and a few other similar positions)

    this has no effect.
    File owner will be set as root, like described above

    - Is there any debug mode to help to check out for me this problem?

    - Which file permissions /home and /home/www has to be set? (/home=root.root+755 and /home/www=root.www+775 is on my system)

    - wwwrun is a member from group www and has nothing to to with the admispconfig-user in /etc/passwd and /etc/groups - is that correct?

    Thank you very much in advance for any hints!
  9. falko

    falko Super Moderator ISPConfig Developer

    No... Further down the function you have an $owner variable and some more chown commands. Have a look at these.

    That's ok.

    That's also ok.
  10. st2xo

    st2xo New Member

    Hi Falko

    I found the "root" the code in
    in function
    apache_user(), Line 1777
    If I put in a hardcoded wwwrun all file permissions will be ok.

    function apache_user(){
      global $mod;
      $httpd_conf = $mod->system->server_conf["dist_httpd_conf"];
      $includes = $mod->file->find_includes($httpd_conf);
      $anz_includes = sizeof($includes);
        $includes[$i] = $mod->file->unix_nl($mod->file->no_comments($includes[$i]));
        if($line = $mod->system->grep($includes[$i], "User", "w")){
          $lines = explode("\n", $line);
          $line = $lines[0];
          $line = trim($line);
          while(strstr($line, "  ")){
            $line = str_replace("  ", " ", $line);
          list($f1, $apache_user) = explode(" ", $line);
          $apache_user = trim($apache_user);
          $i = $anz_includes;
      [COLOR="Red"]# st2xo: $apache_user is nowhere set in this function...[/COLOR]
      if(isset($apache_user) && $mod->system->is_user($apache_user)){
        [COLOR="Red"]# ... so this never will be returned[/COLOR]
        return $apache_user;
      } else {
        [COLOR="Red"]# ... and root will be returned in every case[/COLOR]
        return "root";
    How will be the variable $apache_user set in the function apache_user()?
    I think there is a global $apache_user or something like that missing.

    Or I´am completely wrong now?
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The function searches for the line that begins with "User" in all you apache config files and returns the name of the user. Maybe the user is not set correctly in your apache config.

    There is no global statement for the variable $apache_user missing.
  12. falko

    falko Super Moderator ISPConfig Developer

    In this part:

    $includes[$i] = $mod->file->unix_nl($mod->file->no_comments($includes[$i]));
    $line $mod->system->grep($includes[$i], "User""w")){
    $lines explode("\n"$line);
    $line $lines[0];
    $line trim($line);
    strstr($line"  ")){
    $line str_replace("  "" "$line);
    $f1$apache_user) = explode(" "$line);
    $apache_user trim($apache_user);
    $i $anz_includes;
    the function looks in the Apache configuration and all the included configuration files for something like
    User wwwrun
    If it finds that line, it removes User in front so that wwwrun is remaining.
  13. st2xo

    st2xo New Member

    Hi till and falko - hehe, that looks smart! :)

    what apache files would be grepped by:
    $includes[$i] = $mod->file->unix_nl($mod->file->no_comments($includes[$i]));
    in my complete /etc/apache2/* the only match to "wwwrun" is uid.conf (is 644)
    more /etc/apache2/uid.conf:
    User wwwrun
    Group www
    Are there some other files grepped for "user" and one match gives a blank line? Could that be? Are there other files grepped except uid.conf?

    Perhaps the other condition than $apache_user is not set and so root is returned?
    if(isset($apache_user) && $mod->system->is_user([COLOR="Blue"]$apache_user[/COLOR])){
      return $apache_user;
    } else {
      return "root";
    $mod depends on

    function is_user([COLOR="Blue"]$user[/COLOR]){
      global $mod;
      $user_datei = $this->server_conf["passwd_datei"];
      $users = $mod->file->no_comments($user_datei);
      $lines = explode("\n", $users);
        foreach($lines as $line){
          if(trim($line) != ""){
            list($f1, $f2, $f3, $f4, $f5, $f6, $f7) = explode(":", $line);
            if([COLOR="Red"]$f1[/COLOR] == [COLOR="Blue"]$user[/COLOR]) return true;
      return false;
    so, if wwwrun is correctly given by uid.conf and then is_user() is called - what should then be checked in is_user() ?
    I guess $user_datei is at last /etc/passwd and the exploding ":" returns "wwwrun" - which is then equal to is_user($user)

    my /etc/passwd and /etc/groups contents
    wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false

    Seem´s to be ok.
    Or am I completely in a wrong way?
  14. falko

    falko Super Moderator ISPConfig Developer

    The function searches in all files included in your main Apache configuration file.
    Does the column dist_httpd_conf in the isp_server table in the ISPConfig database contain your correct Apache configuration file?

    Yes, that function checks /etc/passwd, and if wwwrun is in there, then it's fine.
  15. st2xo

    st2xo New Member

    the column contains

    and that is the used file (which was edited by myself, it´s not the default ISPConfig-file!)

    The other cols seem to be allright (www,wwwrun, /etc/*-files, etc.), all data is valid.
    Last edited: Feb 9, 2006
  16. falko

    falko Super Moderator ISPConfig Developer

    Please post the output of
    ls -l /etc/apache2/httpd.conf
    httpd -V
  17. st2xo

    st2xo New Member

    Hi Falko,

    here´s the data:

    n05:~ # ls -l /etc/apache2/httpd.conf
    -rw-r--r--  1 root root 10044 Feb  9 21:13 /etc/apache2/httpd.conf
    n05:~ # httpd -V
    Server version: Apache/2.0.54
    Server built:   Sep  9 2005 18:32:43
    Server's Module Magic Number: 20020903:9
    Architecture:   32-bit
    Server compiled with....
     -D APACHE_MPM_DIR="server/mpm/prefork"
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D HTTPD_ROOT="/srv/www"
     -D SUEXEC_BIN="/usr/sbin/suexec2"
     -D DEFAULT_PIDLOG="/var/run/httpd2.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_LOCKFILE="/var/run/accept.lock"
     -D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
     -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
     -D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"
  18. falko

    falko Super Moderator ISPConfig Developer

    The output is ok.

    Can you find the line
    User wwwrun
    in /etc/apache2/httpd.conf or any of the included files?
  19. st2xo

    st2xo New Member

    yes, in /etc/apache/uid.conf:
    n05:/etc/apache2 # more uid.conf
    User wwwrun
    Group www
    An uid.conf ist included in httpd.conf (I checked it)
  20. falko

    falko Super Moderator ISPConfig Developer

    Maybe you can debug the function by putting echo statements into it or let it write some output to a file that you can check afterwards...

Share This Page