Hi friends, I'm having a strange issue that never I see in Ispconfig. I usually install ispconfig3 (latest version) over Ubuntu 8.04 with total sucess! But recently I need to install on a Debian 5.0.7. I follow the instructions of the 'official perfect setup' from How2forge and the installation works well. But, the problem is the permissions of php user, that is configure with Suexec + fastcgi, look: uid=33(www-data) gid=33(www-data) groups=33(www-data),5003(ispapps),5004(ispconfig),5005(client1) But in another server I got the normal result: uid=5005(webx), gid=2006(clientx) Anynone know why this occours? Thanks
One information that may be util: www-data 3842 0.0 0.0 168316 13332 ? S 15:54 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/ Look, the php-cgi process is spawned by wrong user (www-data). In other servers the process is spawned by the webX user like below: web206 32710 3.6 0.1 165340 12980 ? S 17:04 0:22 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client75/web206 -d upload_tmp_dir=/var/www/clients/client75/web206/tmp -d session.save_path=/var/www/clients/client75/web206/tmp Anybody know what'is going?
Looks as if suexec is not enabled in that website. Please post the apache vhost configuration file of the affected site. additionally, take a look into the ispconfig monitor and check if there are any jobs listed in the jobqueue.
Thanks for your reply till, I saw the jobqueue and it's working well, the tasks has been executed and dissapear from jobqueue. See the vhost conf below: <Directory /var/www/new.compreauto.com.br> AllowOverride None Order Deny,Allow Deny from all </Directory> <VirtualHost 200.219.204.187:80> DocumentRoot /var/www/new.compreauto.com.br/web ServerName new.compreauto.com.br ServerAlias www.new.compreauto.com.br ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/new.compreauto.com.br/error.log ErrorDocument 400 /error/400.html ErrorDocument 401 /error/401.html ErrorDocument 403 /error/403.html ErrorDocument 404 /error/404.html ErrorDocument 405 /error/405.html ErrorDocument 500 /error/500.html ErrorDocument 503 /error/503.html <Directory /var/www/new.compreauto.com.br/web> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory> <Directory /var/www/clients/client1/web4/web> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory> # suexec enabled SuexecUserGroup web4 client1 # Clear PHP settings of this website <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> # php as fast-cgi enabled <IfModule mod_fcgid.c> # SocketPath /tmp/fcgid_sock/ # IdleTimeout n (3600 seconds) # An idle fastcgi application will be terminated after IdleTimeout seconds. IdleTimeout 3600 # ProcessLifeTime n (7200 seconds) # A fastcgi application will be terminated if lifetime expired, even no error is detected. ProcessLifeTime 7200 # MaxProcessCount n (1000) # The max count of total fastcgi process count. # MaxProcessCount 1000 # DefaultMinClassProcessCount n (3) # The minimum number of fastcgi application instances for any one fastcgi application. # Idle fastcgi will not be killed if their count is less than n # Set this to 0, and tweak IdleTimeout DefaultMinClassProcessCount 0 # DefaultMaxClassProcessCount n (100) # The maximum number of fastcgi application instances allowed to run for # particular one fastcgi application. DefaultMaxClassProcessCount 100 # IPCConnectTimeout n (3 seconds) # The connect timeout to a fastcgi application. IPCConnectTimeout 8 # IPCCommTimeout n (20 seconds) # The communication timeout to a fastcgi application. Please increase this # value if your CGI have a slow initialization or slow respond. IPCCommTimeout 360 # BusyTimeout n (300 seconds) # A fastcgi application will be terminated if handing a single request # longer than busy timeout. BusyTimeout 300 </IfModule> <Directory /var/www/new.compreauto.com.br/web> AddHandler fcgid-script .php .php3 .php4 .php5 FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php Options +ExecCGI AllowOverride All Order allow,deny Allow from all </Directory> <Directory /var/www/clients/client1/web4/web> AddHandler fcgid-script .php .php3 .php4 .php5 FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php Options +ExecCGI AllowOverride All Order allow,deny Allow from all </Directory> # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web4 client1 </IfModule> <IfModule mod_dav_fs.c> # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost> As additional information, here are the apache/php packages installed on Lenny: web:~# dpkg -l|egrep 'apache|php|sue' ii apache2-doc 2.2.9-10+lenny8 Apache HTTP Server documentation ii apache2-mpm-prefork 2.2.9-10+lenny8 Apache HTTP Server - traditional non-threaded model ii apache2-suexec 2.2.9-10+lenny8 Standard suexec program for Apache 2 mod_suexec ii apache2-utils 2.2.9-10+lenny8 utility programs for webservers ii apache2.2-common 2.2.9-10+lenny8 Apache HTTP Server common files ii libapache2-mod-fcgid 1:2.2-1 an alternative module compat with mod_fastcgi ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (Apache 2 module ii libapache2-mod-suphp 0.6.2-3 Apache2 module to run php scripts with the owner permissions ii php-auth 1.6.1-1 PHP PEAR modules for creating an authentication system ii php-pear 5.2.6.dfsg.1-1+lenny9 PEAR - PHP Extension and Application Repository ii php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (metapackage) ii php5-cgi 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (CGI binary) ii php5-cli 5.2.6.dfsg.1-1+lenny9 command-line interpreter for the php5 scripting language ii php5-common 5.2.6.dfsg.1-1+lenny9 Common files for packages built from the php5 source ii php5-curl 5.2.6.dfsg.1-1+lenny9 CURL module for php5 ii php5-gd 5.2.6.dfsg.1-1+lenny9 GD module for php5 ii php5-imagick 2.1.1RC1-1 ImageMagick module for php5 ii php5-imap 5.2.6.dfsg.1-1+lenny9 IMAP module for php5 ii php5-mcrypt 5.2.6.dfsg.1-1+lenny9 MCrypt module for php5 ii php5-mysql 5.2.6.dfsg.1-1+lenny9 MySQL module for php5 ii suphp-common 0.6.2-3 Common files for mod suphp Thanks again!
Till, here is the output: web:~# grep web4 /etc/passwd web4:x:5004:5005::/var/www/clients/client1/web4:/bin/false /etc/group vmail:x:5000: getmail:x:5001: sshusers:x:5002:web4 ispapps:x:5003:www-data ispconfig:x:5004:www-data client1:x:5005:www-data Anything strange? Thanks
Till, I FOUND the problem, the debian package apache2-suexec-custom was missing! I simply do this: apt-get install apache2-suexec-custom Restart the apache and the repeating the tests I got this output: # id uid=5004(web4) gid=5005(client1) groups=5002(sshusers),5005(client1) And the ps aux: web4 9058 0.0 0.0 168312 13280 ? S 21:11 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/web4/tmp:/var/www/new.compreauto.com.br/web:/srv/www/new.compreauto.com.br/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin -d upload_tmp_dir=/var/www/clients/client1/web4/tmp -d session.save_path=/var/www/clients/client1/web4/tmp I search in the how to ( http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3-p4 ) and the line refering a apache/php install is: apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libapache2-mod-ruby Just apache2-suexec was installed, so I think that tip maybe util for Debian 5.0.7 users in general! But I feel other difference between ispconfig in Debian 5 than Ubuntu 8.0.4, the user web4 in Ubuntu keep's into the home directory (/var/www/clients/client1/, he cannot listen / or /tmp for example.) Do you know a tip to fix that? Is horrible to know that a malicious php script can list the /var/www/clients. Thanks and I again, the original problem is SOLVED, I expose the second problem in this thread just because I consider a bit related