Cannot get cgi-bin to run other than as apache

Virtualmin
1

hello -

an odd issue is showing up for me.

i create a new RL Google-VM, install latest-n-greatest virtualmin:

sh -c "$(curl -fsSL  https://download.virtualmin.com/virtualmin-install; )"  \
                                         --                                  \
                                         --bundle LAMP                       \
                                         --branch   stable                   \
                                         --hostname host.edwardsmark.info    \
                                         --yes                               \
                                                                             ;

the create a VS with just the DNS for domain and apache website options and access it. i get the standard Virtualmin default index.html` file displaying normally.

then i test it like so:

<?php
 echo  get_current_user();
 echo '<br />';
 echo 'whoim = '.exec('/bin/whoami');
 echo '<br />';
 phpinfo();
 ?>

this displays my correct new VS name.

finally i created a very cgi simple script to try and isolate the problem:

#! /bin/sh
printf “content-type: text/plain\n\n” ;
date;
whoami;

this shows that the user is apache and not the new VS username.

any suggestions what i might be doing wrong?

if it helps, here is my httpd.conf that was created by virtualmin:

<VirtualHost *:80>
    ServerName zzyzx.com
    ServerAlias www.zzyzx.com
    ServerAlias mail.zzyzx.com
    ServerAlias webmail.zzyzx.com
    ServerAlias admin.zzyzx.com
    DocumentRoot /home/zzyzx/public_html
    ErrorLog /var/log/virtualmin/zzyzx.com_error_log
    CustomLog /var/log/virtualmin/zzyzx.com_access_log combined
    ScriptAlias /cgi-bin/ /home/zzyzx/cgi-bin/
    DirectoryIndex index.php index.htm index.html
    <Directory /home/zzyzx/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/zzyzx/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.zzyzx.com
    RewriteRule ^/(?!\.well-known)(.*)$ https://zzyzx.com:20000/ [R=301,L]
    RewriteCond %{HTTP_HOST} =admin.zzyzx.com
    RewriteRule ^/(?!\.well-known)(.*)$ https://zzyzx.com:10000/ [R=301,L]
    RemoveHandler .php
    RemoveHandler .php8.3
    <FilesMatch \.php$>
        SetHandler proxy:unix:/run/php-fpm/177439884821910.sock|fcgi://127.0.0.1
    </FilesMatch>
</VirtualHost>
<VirtualHost *:443>
    ServerName zzyzx.com
    ServerAlias www.zzyzx.com
    ServerAlias mail.zzyzx.com
    ServerAlias webmail.zzyzx.com
    ServerAlias admin.zzyzx.com
    DocumentRoot /home/zzyzx/public_html
    ErrorLog /var/log/virtualmin/zzyzx.com_error_log
    CustomLog /var/log/virtualmin/zzyzx.com_access_log combined
    ScriptAlias /cgi-bin/ /home/zzyzx/cgi-bin/
    DirectoryIndex index.php index.htm index.html
    <Directory /home/zzyzx/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/zzyzx/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.zzyzx.com
    RewriteRule ^/(?!\.well-known)(.*)$ https://zzyzx.com:20000/ [R=301,L]
    RewriteCond %{HTTP_HOST} =admin.zzyzx.com
    <FilesMatch \.php$>
        SetHandler proxy:unix:/run/php-fpm/177439884821910.sock|fcgi://127.0.0.1
    </FilesMatch>
    RewriteRule ^/(?!\.well-known)(.*)$ https://zzyzx.com:10000/ [R=301,L]
    RemoveHandler .php
    RemoveHandler .php8.3
    SSLEngine on
    SSLCertificateFile /etc/ssl/virtualmin/177439884821910/ssl.combined
    SSLCertificateKeyFile /etc/ssl/virtualmin/177439884821910/ssl.key
    SSLProtocol
SYSTEM INFORMATION
OS type and version RL 10.1
Webmin version 2.621
Virtualmin version 8.1.0 GPL
Webserver version Apache/2.4.63
Related packages SUGGESTED
2

If it runs as the Apache user, it means you have installed mod_php. Which you should never do.

3

joe - at what point could i have installed mod_php? all i did was run:

sh -c "$(curl -fsSL  https://download.virtualmin.com/virtualmin-install; )"  \
                                         --                                  \
                                         --bundle LAMP                       \
                                         --branch   stable                   \
                                         --hostname host.edwardsmark.info    \
                                         --yes                               \
                                                                             ;

is there an option here that installs mod_php?

this is a new Rocky 10.1 vm.

i did try adding:

SuexecUserGroup  zzyzx zzyzx

but that did not fix it, surprisingly.

dnf list installed | grep mod_php; does not show mod_php installed.

4

No. It’s impossible to make our installer install mod_php, because it is never correct to install it.

I would assume it was installed via some other mechanism.

Show us:

rpm -qa | grep php

Suexec is not an option on EL, as we no longer build a custom Apache package. If you’re running CGI or something else that needs “suexec”, it would be done via fcgiwrap,. But, that’s not involved in the default PHP execution mode of PHP-FPM. FPM has its own config files, where the user gets specified.

5 
# rpm -qa | grep php
php-common-8.3.29-1.el10_1.x86_64
php-pdo-8.3.29-1.el10_1.x86_64
php-opcache-8.3.29-1.el10_1.x86_64
php-gd-8.3.29-1.el10_1.x86_64
php-xml-8.3.29-1.el10_1.x86_64
php-fpm-8.3.29-1.el10_1.x86_64
php-mysqlnd-8.3.29-1.el10_1.x86_64
php-cli-8.3.29-1.el10_1.x86_64
php-mbstring-8.3.29-1.el10_1.x86_64

Suexec was something i saw on the apache website documentation that i tried out of desperation.

6

Hmmm
so
no mod_php. So, I think you’ve stumped me.

What’s in the PHP-FPM configuration for that domain? (In /etc/php-fpm.d/<domainid>.conf)

7 
# ls  -ltr  /etc/php-fpm.d/177439884821910.conf
-rw-r--r--. 1 root root 420 Mar 25 00:34 /etc/php-fpm.d/177439884821910.conf
# cat  /etc/php-fpm.d/177439884821910.conf
[177439884821910]
user = zzyzx
group = zzyzx
listen.owner = zzyzx
listen.group = zzyzx
listen.mode = 0660
listen = /run/php-fpm/177439884821910.sock
pm = dynamic
pm.max_children = 11
pm.start_servers = 3
pm.min_spare_servers = 2
pm.max_spare_servers = 4
php_value[upload_tmp_dir] = /home/zzyzx/tmp
php_value[session.save_path] = /home/zzyzx/tmp
php_value[error_log] = /home/zzyzx/logs/php_log
php_value[log_errors] = On

dumb question: the php stuff is correctly showing the user. its that cgi script thats continues to show apache. should we be looking more closely at any cgi reference?

this problem is pretty easy to reproduce. i can write a small bash script to simulate the problem from scratch if necessary.

before i forget, THANK YOU JOE!

8

Oh, shit. I thought we were talking about PHP. I completely missed that there are two different scripts.

CGI does not use SuExec on EL, because SuExec requires recompilation to allow a docroot in /home.

You have to use fcgiwrap for CGI scripts, if you want them to run as the domain owner user. Virtualmin supports this configuration, AFAIK. Is it not installed?

1 Like
9

thanks to Joe pointing me in the right direction, I was able to get this to work:

virtualmin modify-web --all-domains --enable-fcgiwrap ; ## should this be the default?

or just go into Web-Configuration–>Website-Options and change the default:
cgi scripts disabled
to
FCGIwrap server

is this the correct approach?? fortunately it does not appear to interfere with php at all.

(note of interest: it appears the modify-web command cannot be reversed. in other words, if cgi was originally working running under ‘apache’, we cannot return to that run mode except maybe going into the vs config file and removing the last_cgimode= line.)

here is the modified script i was running on a new RL-10 installation:


sh -c "$(curl -fsSL  https://download.virtualmin.com/virtualmin-install; )"  \
                                             --                              \
                                             --bundle LAMP                   \
                                             --branch   stable               \
                                             --hostname host.DOMAIN.com      \
                                             --yes                           \
                                                                             ;

virtualmin  create-domain --domain  zzyzx.com    --dir --unix  --dns  --web --ssl --pass zzyzx ;

virtualmin modify-web    --all-domains   --enable-fcgiwrap ;  ## can this ever be the default?


### make sure we are the correct user:
cat <<END > /home/zzyzx/cgi-bin/perlCgiWhoIsUser.pl ;
#!/usr/bin/perl -w
#
use strict;
use warnings;
#
print "Content-type:text/html\r\n\r\n";
print 'CGI User: ' .  getpwuid($>) . ;

1;
END

chmod  --verbose  755              /home/zzyzx/cgi-bin/perlCgiWhoIsUser.pl  ;
chown  --verbose  zzyzx:zzyzx      /home/zzyzx/cgi-bin/perlCgiWhoIsUser.pl  ;