Wrong apache+php user permissions

Discussion in 'Installation/Configuration' started by filipealvarez, Jan 4, 2011.

  1. filipealvarez

    filipealvarez New Member

    Hi friends, I'm having a strange issue that never I see in Ispconfig.

    I usually install ispconfig3 (latest version) over Ubuntu 8.04 with total sucess!

    But recently I need to install on a Debian 5.0.7. I follow the instructions of the 'official perfect setup' from How2forge and the installation works well.

    But, the problem is the permissions of php user, that is configure with Suexec + fastcgi, look:

    uid=33(www-data) gid=33(www-data) groups=33(www-data),5003(ispapps),5004(ispconfig),5005(client1)

    But in another server I got the normal result:

    uid=5005(webx), gid=2006(clientx)

    Anynone know why this occours?

    Thanks
     
    filipealvarez, Jan 4, 2011
    #1
  2. filipealvarez

    filipealvarez New Member

    One information that may be util:

    www-data 3842 0.0 0.0 168316 13332 ? S 15:54 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/

    Look, the php-cgi process is spawned by wrong user (www-data).

    In other servers the process is spawned by the webX user like below:

    web206 32710 3.6 0.1 165340 12980 ? S 17:04 0:22 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client75/web206 -d upload_tmp_dir=/var/www/clients/client75/web206/tmp -d session.save_path=/var/www/clients/client75/web206/tmp


    Anybody know what'is going?
     
    filipealvarez, Jan 4, 2011
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks as if suexec is not enabled in that website. Please post the apache vhost configuration file of the affected site.

    additionally, take a look into the ispconfig monitor and check if there are any jobs listed in the jobqueue.
     
    till, Jan 4, 2011
    #3
  4. filipealvarez

    filipealvarez New Member

    Thanks for your reply till, I saw the jobqueue and it's working well, the tasks has been executed and dissapear from jobqueue.

    See the vhost conf below:

    <Directory /var/www/new.compreauto.com.br>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

    <VirtualHost 200.219.204.187:80>
    DocumentRoot /var/www/new.compreauto.com.br/web

    ServerName new.compreauto.com.br
    ServerAlias www.new.compreauto.com.br
    ServerAdmin webmaster@new.compreauto.com.br

    ErrorLog /var/log/ispconfig/httpd/new.compreauto.com.br/error.log


    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 503 /error/503.html

    <Directory /var/www/new.compreauto.com.br/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>
    <Directory /var/www/clients/client1/web4/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>


    # suexec enabled
    SuexecUserGroup web4 client1
    # Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
    <IfModule mod_fcgid.c>

    # SocketPath /tmp/fcgid_sock/

    # IdleTimeout n (3600 seconds)
    # An idle fastcgi application will be terminated after IdleTimeout seconds.
    IdleTimeout 3600

    # ProcessLifeTime n (7200 seconds)
    # A fastcgi application will be terminated if lifetime expired, even no error is detected.
    ProcessLifeTime 7200

    # MaxProcessCount n (1000)
    # The max count of total fastcgi process count.
    # MaxProcessCount 1000

    # DefaultMinClassProcessCount n (3)
    # The minimum number of fastcgi application instances for any one fastcgi application.
    # Idle fastcgi will not be killed if their count is less than n
    # Set this to 0, and tweak IdleTimeout
    DefaultMinClassProcessCount 0

    # DefaultMaxClassProcessCount n (100)
    # The maximum number of fastcgi application instances allowed to run for
    # particular one fastcgi application.
    DefaultMaxClassProcessCount 100

    # IPCConnectTimeout n (3 seconds)
    # The connect timeout to a fastcgi application.
    IPCConnectTimeout 8

    # IPCCommTimeout n (20 seconds)
    # The communication timeout to a fastcgi application. Please increase this
    # value if your CGI have a slow initialization or slow respond.
    IPCCommTimeout 360

    # BusyTimeout n (300 seconds)
    # A fastcgi application will be terminated if handing a single request
    # longer than busy timeout.
    BusyTimeout 300

    </IfModule>
    <Directory /var/www/new.compreauto.com.br/web>
    AddHandler fcgid-script .php .php3 .php4 .php5
    FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php
    Options +ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>
    <Directory /var/www/clients/client1/web4/web>
    AddHandler fcgid-script .php .php3 .php4 .php5
    FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php
    Options +ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>

    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web4 client1
    </IfModule>

    <IfModule mod_dav_fs.c>
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>


    </VirtualHost>


    As additional information, here are the apache/php packages installed on Lenny:

    web:~# dpkg -l|egrep 'apache|php|sue'
    ii apache2-doc 2.2.9-10+lenny8 Apache HTTP Server documentation
    ii apache2-mpm-prefork 2.2.9-10+lenny8 Apache HTTP Server - traditional non-threaded model
    ii apache2-suexec 2.2.9-10+lenny8 Standard suexec program for Apache 2 mod_suexec
    ii apache2-utils 2.2.9-10+lenny8 utility programs for webservers
    ii apache2.2-common 2.2.9-10+lenny8 Apache HTTP Server common files
    ii libapache2-mod-fcgid 1:2.2-1 an alternative module compat with mod_fastcgi
    ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (Apache 2 module
    ii libapache2-mod-suphp 0.6.2-3 Apache2 module to run php scripts with the owner permissions
    ii php-auth 1.6.1-1 PHP PEAR modules for creating an authentication system
    ii php-pear 5.2.6.dfsg.1-1+lenny9 PEAR - PHP Extension and Application Repository
    ii php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (metapackage)
    ii php5-cgi 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (CGI binary)
    ii php5-cli 5.2.6.dfsg.1-1+lenny9 command-line interpreter for the php5 scripting language
    ii php5-common 5.2.6.dfsg.1-1+lenny9 Common files for packages built from the php5 source
    ii php5-curl 5.2.6.dfsg.1-1+lenny9 CURL module for php5
    ii php5-gd 5.2.6.dfsg.1-1+lenny9 GD module for php5
    ii php5-imagick 2.1.1RC1-1 ImageMagick module for php5
    ii php5-imap 5.2.6.dfsg.1-1+lenny9 IMAP module for php5
    ii php5-mcrypt 5.2.6.dfsg.1-1+lenny9 MCrypt module for php5
    ii php5-mysql 5.2.6.dfsg.1-1+lenny9 MySQL module for php5
    ii suphp-common 0.6.2-3 Common files for mod suphp


    Thanks again!
     
    filipealvarez, Jan 4, 2011
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The vhsot config looks fine. Please post the output of this command:

    grep web4 /etc/passwd
     
    till, Jan 4, 2011
    #5
  6. filipealvarez

    filipealvarez New Member

    Till, here is the output:

    web:~# grep web4 /etc/passwd
    web4:x:5004:5005::/var/www/clients/client1/web4:/bin/false

    /etc/group
    vmail:x:5000:
    getmail:x:5001:
    sshusers:x:5002:web4
    ispapps:x:5003:www-data
    ispconfig:x:5004:www-data
    client1:x:5005:www-data

    Anything strange?

    Thanks
     
    Last edited: Jan 4, 2011
    filipealvarez, Jan 4, 2011
    #6
  7. filipealvarez

    filipealvarez New Member

    Till, I FOUND the problem, the debian package apache2-suexec-custom was missing!

    I simply do this:

    apt-get install apache2-suexec-custom

    Restart the apache and the repeating the tests I got this output:

    # id
    uid=5004(web4) gid=5005(client1) groups=5002(sshusers),5005(client1)

    And the ps aux:

    web4 9058 0.0 0.0 168312 13280 ? S 21:11 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/web4/tmp:/var/www/new.compreauto.com.br/web:/srv/www/new.compreauto.com.br/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin -d upload_tmp_dir=/var/www/clients/client1/web4/tmp -d session.save_path=/var/www/clients/client1/web4/tmp

    I search in the how to ( http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3-p4 ) and the line refering a apache/php install is:

    apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libapache2-mod-ruby

    Just apache2-suexec was installed, so I think that tip maybe util for Debian 5.0.7 users in general!

    But I feel other difference between ispconfig in Debian 5 than Ubuntu 8.0.4, the user web4 in Ubuntu keep's into the home directory (/var/www/clients/client1/, he cannot listen / or /tmp for example.)

    Do you know a tip to fix that?

    Is horrible to know that a malicious php script can list the /var/www/clients.

    Thanks and I again, the original problem is SOLVED, I expose the second problem in this thread just because I consider a bit related
     
    filipealvarez, Jan 5, 2011
    #7
  8. filipealvarez

    filipealvarez New Member

    All problems are SOLVED, remember to use aways the latest packages with apt-get!

    Thanks Till!
     
    filipealvarez, Jan 7, 2011
    #8

Share This Page