Wrong apache+php user permissions

Discussion in 'Installation/Configuration' started by filipealvarez, Jan 4, 2011.

  1. filipealvarez

    filipealvarez New Member

    Hi friends, I'm having a strange issue that never I see in Ispconfig.

    I usually install ispconfig3 (latest version) over Ubuntu 8.04 with total sucess!

    But recently I need to install on a Debian 5.0.7. I follow the instructions of the 'official perfect setup' from How2forge and the installation works well.

    But, the problem is the permissions of php user, that is configure with Suexec + fastcgi, look:

    uid=33(www-data) gid=33(www-data) groups=33(www-data),5003(ispapps),5004(ispconfig),5005(client1)

    But in another server I got the normal result:

    uid=5005(webx), gid=2006(clientx)

    Anynone know why this occours?

    Thanks
     
    filipealvarez, Jan 4, 2011
    #1
  2. filipealvarez

    filipealvarez New Member

    One information that may be util:

    www-data 3842 0.0 0.0 168316 13332 ? S 15:54 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/

    Look, the php-cgi process is spawned by wrong user (www-data).

    In other servers the process is spawned by the webX user like below:

    web206 32710 3.6 0.1 165340 12980 ? S 17:04 0:22 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client75/web206 -d upload_tmp_dir=/var/www/clients/client75/web206/tmp -d session.save_path=/var/www/clients/client75/web206/tmp


    Anybody know what'is going?
     
    filipealvarez, Jan 4, 2011
    #2
  3. till

    till Super Moderator

    Looks as if suexec is not enabled in that website. Please post the apache vhost configuration file of the affected site.

    additionally, take a look into the ispconfig monitor and check if there are any jobs listed in the jobqueue.
     
    till, Jan 4, 2011
    #3
  4. filipealvarez

    filipealvarez New Member

    Thanks for your reply till, I saw the jobqueue and it's working well, the tasks has been executed and dissapear from jobqueue.

    See the vhost conf below:

    <Directory /var/www/new.compreauto.com.br>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

    <VirtualHost 200.219.204.187:80>
    DocumentRoot /var/www/new.compreauto.com.br/web

    ServerName new.compreauto.com.br
    ServerAlias www.new.compreauto.com.br
    ServerAdmin webmaster@new.compreauto.com.br

    ErrorLog /var/log/ispconfig/httpd/new.compreauto.com.br/error.log


    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 503 /error/503.html

    <Directory /var/www/new.compreauto.com.br/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>
    <Directory /var/www/clients/client1/web4/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>


    # suexec enabled
    SuexecUserGroup web4 client1
    # Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
    <IfModule mod_fcgid.c>

    # SocketPath /tmp/fcgid_sock/

    # IdleTimeout n (3600 seconds)
    # An idle fastcgi application will be terminated after IdleTimeout seconds.
    IdleTimeout 3600

    # ProcessLifeTime n (7200 seconds)
    # A fastcgi application will be terminated if lifetime expired, even no error is detected.
    ProcessLifeTime 7200

    # MaxProcessCount n (1000)
    # The max count of total fastcgi process count.
    # MaxProcessCount 1000

    # DefaultMinClassProcessCount n (3)
    # The minimum number of fastcgi application instances for any one fastcgi application.
    # Idle fastcgi will not be killed if their count is less than n
    # Set this to 0, and tweak IdleTimeout
    DefaultMinClassProcessCount 0

    # DefaultMaxClassProcessCount n (100)
    # The maximum number of fastcgi application instances allowed to run for
    # particular one fastcgi application.
    DefaultMaxClassProcessCount 100

    # IPCConnectTimeout n (3 seconds)
    # The connect timeout to a fastcgi application.
    IPCConnectTimeout 8

    # IPCCommTimeout n (20 seconds)
    # The communication timeout to a fastcgi application. Please increase this
    # value if your CGI have a slow initialization or slow respond.
    IPCCommTimeout 360

    # BusyTimeout n (300 seconds)
    # A fastcgi application will be terminated if handing a single request
    # longer than busy timeout.
    BusyTimeout 300

    </IfModule>
    <Directory /var/www/new.compreauto.com.br/web>
    AddHandler fcgid-script .php .php3 .php4 .php5
    FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php
    Options +ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>
    <Directory /var/www/clients/client1/web4/web>
    AddHandler fcgid-script .php .php3 .php4 .php5
    FCGIWrapper /var/www/php-fcgi-scripts/web4/.php-fcgi-starter .php
    Options +ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>

    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web4 client1
    </IfModule>

    <IfModule mod_dav_fs.c>
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>


    </VirtualHost>


    As additional information, here are the apache/php packages installed on Lenny:

    web:~# dpkg -l|egrep 'apache|php|sue'
    ii apache2-doc 2.2.9-10+lenny8 Apache HTTP Server documentation
    ii apache2-mpm-prefork 2.2.9-10+lenny8 Apache HTTP Server - traditional non-threaded model
    ii apache2-suexec 2.2.9-10+lenny8 Standard suexec program for Apache 2 mod_suexec
    ii apache2-utils 2.2.9-10+lenny8 utility programs for webservers
    ii apache2.2-common 2.2.9-10+lenny8 Apache HTTP Server common files
    ii libapache2-mod-fcgid 1:2.2-1 an alternative module compat with mod_fastcgi
    ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (Apache 2 module
    ii libapache2-mod-suphp 0.6.2-3 Apache2 module to run php scripts with the owner permissions
    ii php-auth 1.6.1-1 PHP PEAR modules for creating an authentication system
    ii php-pear 5.2.6.dfsg.1-1+lenny9 PEAR - PHP Extension and Application Repository
    ii php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (metapackage)
    ii php5-cgi 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripting language (CGI binary)
    ii php5-cli 5.2.6.dfsg.1-1+lenny9 command-line interpreter for the php5 scripting language
    ii php5-common 5.2.6.dfsg.1-1+lenny9 Common files for packages built from the php5 source
    ii php5-curl 5.2.6.dfsg.1-1+lenny9 CURL module for php5
    ii php5-gd 5.2.6.dfsg.1-1+lenny9 GD module for php5
    ii php5-imagick 2.1.1RC1-1 ImageMagick module for php5
    ii php5-imap 5.2.6.dfsg.1-1+lenny9 IMAP module for php5
    ii php5-mcrypt 5.2.6.dfsg.1-1+lenny9 MCrypt module for php5
    ii php5-mysql 5.2.6.dfsg.1-1+lenny9 MySQL module for php5
    ii suphp-common 0.6.2-3 Common files for mod suphp


    Thanks again!
     
    filipealvarez, Jan 4, 2011
    #4
  5. till

    till Super Moderator

    The vhsot config looks fine. Please post the output of this command:

    grep web4 /etc/passwd
     
    till, Jan 4, 2011
    #5
  6. filipealvarez

    filipealvarez New Member

    Till, here is the output:

    web:~# grep web4 /etc/passwd
    web4:x:5004:5005::/var/www/clients/client1/web4:/bin/false

    /etc/group
    vmail:x:5000:
    getmail:x:5001:
    sshusers:x:5002:web4
    ispapps:x:5003:www-data
    ispconfig:x:5004:www-data
    client1:x:5005:www-data

    Anything strange?

    Thanks
     
    Last edited: Jan 4, 2011
    filipealvarez, Jan 4, 2011
    #6
  7. filipealvarez

    filipealvarez New Member

    Till, I FOUND the problem, the debian package apache2-suexec-custom was missing!

    I simply do this:

    apt-get install apache2-suexec-custom

    Restart the apache and the repeating the tests I got this output:

    # id
    uid=5004(web4) gid=5005(client1) groups=5002(sshusers),5005(client1)

    And the ps aux:

    web4 9058 0.0 0.0 168312 13280 ? S 21:11 0:00 /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web4/web:/var/www/clients/client1/web4/tmp:/var/www/new.compreauto.com.br/web:/srv/www/new.compreauto.com.br/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin -d upload_tmp_dir=/var/www/clients/client1/web4/tmp -d session.save_path=/var/www/clients/client1/web4/tmp

    I search in the how to ( http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3-p4 ) and the line refering a apache/php install is:

    apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libapache2-mod-ruby

    Just apache2-suexec was installed, so I think that tip maybe util for Debian 5.0.7 users in general!

    But I feel other difference between ispconfig in Debian 5 than Ubuntu 8.0.4, the user web4 in Ubuntu keep's into the home directory (/var/www/clients/client1/, he cannot listen / or /tmp for example.)

    Do you know a tip to fix that?

    Is horrible to know that a malicious php script can list the /var/www/clients.

    Thanks and I again, the original problem is SOLVED, I expose the second problem in this thread just because I consider a bit related
     
    filipealvarez, Jan 5, 2011
    #7
  8. filipealvarez

    filipealvarez New Member

    All problems are SOLVED, remember to use aways the latest packages with apt-get!

    Thanks Till!
     
    filipealvarez, Jan 7, 2011
    #8

Share This Page