Error 500 on virtual servers with FCGId (run as virtual server owner)

rogeriobrito · January 4, 2012, 10:07pm

Hello all,

I have many domains on my virtuamin box, most of them running with FCGId (run as virtual server owner), and Joomla.
Today, a few servers started to fail with an error 500. Checking the error log I have:
[Wed Jan 04 19:48:21 2012] [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[Wed Jan 04 19:48:21 2012] [error] [client 186.204.132.148] Premature end of script headers: index.php

Changing the “PHP script execution mode” to Apache mod_php (run as Apache’s user), solved the problem for the moment. If I change back to FCGId I get the error 500 again.

What can I do fix it? It is best to run PHP with FCGId, right?

Thanks
Rogerio

rogeriobrito · January 4, 2012, 10:52pm

On my suexec.log I see:

[2012-01-04 20:32:27]: uid: (1184/gtogintercambiomaster) gid: (630/630) cmd: php5.fcgi
[2012-01-04 20:32:27]: directory is writable by others: (/home/gtogintercambiomaster/fcgi-bin)

I’ve chmoded 744 /home/gtogintercambiomaster/fcgi-bin, but it still doesn’t work.

Please help

rogeriobrito · January 4, 2012, 11:58pm

chmod 755 on the fcgi-bin did work.

So I run on the /home directory:

find ./ -type d -name "fcgi-bin" -print0 | xargs -0 chmod 755

That made the sites online again.
But I still need to fix the other directories permissions. How do I do that?

Thanks

rogeriobrito · January 5, 2012, 12:14am

I guess I know what might have happend… it seems chmod 775 * -R was run on the /home directory.
For example, i have another folder like this:

[root@linux03 frutalmaster]# pwd
/home/frutalmaster
[root@linux03 frutalmaster]# ls -la
total 237528
drwxrwxr-x  20 frutalmaster               frutalmaster      4096 Jan  4 09:38 .
drwxrwxr-x 149 root                       root              4096 Jan  4 20:50 ..
-rwxrwxr-x   1 frutalmaster               frutalmaster       326 Dec 28 19:06 .bash_history
-rwxrwxr-x   1 frutalmaster               frutalmaster        33 Jun  1  2010 .bash_logout
-rwxrwxr-x   1 frutalmaster               frutalmaster       176 Jun  1  2010 .bash_profile
-rwxrwxr-x   1 frutalmaster               frutalmaster       124 Jun  1  2010 .bashrc
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Aug  1 17:17 Cemei_1
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Aug  1 17:16 Cemei_2
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Aug  1 17:16 Cemei_3
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Aug  1 17:15 Cemei_4
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Aug  1 17:14 Cemei_5
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Jun  1  2010 cgi-bin
drwxrwxr-x  14 ftpfrutal@frutal.mg.gov.br frutalmaster      4096 Jun 23  2010 eneide
drwxrwxr-x   3 frutalmaster               frutalmaster      4096 Jun  1  2010 etc
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Dec 14 19:32 Eventos site  - Sete de Setembro
-rwxrwxr-x   1 frutalmaster               frutalmaster 242871587 Sep 20  2010 Eventos site  - Sete de Setembro.zip
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Jun  1  2010 fcgi-bin
drwxrwxr-x  71 frutalmaster               frutalmaster      4096 Oct 31 13:41 homes
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Jun  1  2010 logs
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Jun 22  2011 loteamento_waldemar1
drwxrwxr-x  23 frutalmaster               frutalmaster      4096 Dec 28 14:27 public_html
drwxrwxr-x   2 frutalmaster               frutalmaster     12288 Aug  1 17:21 Sec_Educacao
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Sep 20  2010 Sete de Setembro - Desfile
-rwxrwxr-x   1 frutalmaster               frutalmaster        27 Sep 19 18:28 .stats-htpasswd
drwxrwxr-x   2 frutalmaster               frutalmaster      4096 Jan  3 16:44 tmp
drwxrwxr-x   3 frutalmaster               frutalmaster      4096 Jun  1  2010 .usermin
[root@linux03 frutalmaster]#

I’ve just created a new virtualserver to see how the default permissions are, and I got.

[root@linux03 brincabrasilmaster]# cd /home/portfolio
[root@linux03 portfolio]# ls -la
total 56
drwxr-x---  10 portfolio portfolio 4096 Jan  4 16:28 .
drwxrwxr-x 150 root      root      4096 Jan  4 16:28 ..
-rw-r--r--   1 portfolio portfolio   33 Jan  4 16:28 .bash_logout
-rw-r--r--   1 portfolio portfolio  176 Jan  4 16:28 .bash_profile
-rw-r--r--   1 portfolio portfolio  124 Jan  4 16:28 .bashrc
drwxr-x---   2 portfolio portfolio 4096 Jan  4 16:28 cgi-bin
drwxr-xr-x   3 portfolio portfolio 4096 Jan  4 16:28 etc
drwxr-xr-x   2 portfolio portfolio 4096 Jan  4 16:28 fcgi-bin
drwxr-xr-x   2 portfolio portfolio 4096 Jan  4 16:28 homes
drwxr-x---   2 portfolio portfolio 4096 Jan  4 16:28 logs
drwxr-x---   2 portfolio portfolio 4096 Jan  4 16:28 public_html
drwxr-x---   2 portfolio portfolio 4096 Jan  4 16:28 tmp
drwx------   3 portfolio portfolio 4096 Jan  4 16:28 .usermin
[root@linux03 portfolio]#

So the question, is there a way or script to fix file/folder permissions on each virtualserver?

Thanks

Eric · January 5, 2012, 1:18am

Howdy,

Well, having 755 permissions on your directories should be good.

What is it you’re looking to tweak exactly?

-Eric

rogeriobrito · January 5, 2012, 1:58am

Hi Eric,

The problem is “chmod 775 * -R” was run on the /home directory. So every folder and file for all virtual severs now has 775 permissions, except the fcgi-bin folders that I changed to 755 to put the websites back online.
I’m concerned about security. I can’t leave the permissions like that, can I?

Thanks
Rogerio

Eric · January 5, 2012, 4:18am

Well, it would be difficult to fix all the files/directories in that hierarchy – but what you could do is go into /home, and set all the directories there to “700”. That would make it so that, regardless of what the files/directories under there are set to, folks who shouldn’t be able to view them wouldn’t have access.

-Eric

rogeriobrito · January 9, 2012, 10:41pm

Ok Eric, I’ve done that.
Thanks a lot.

Rogerio

bitpt · January 9, 2012, 11:06pm

With FCGID all dirs need 755 and files 644.

Dirs without php files doesn’t matter can be 777 or whatever you need.

Change all permissions for folders from 777 to 755
execute in shell:
find /home//public_html -type d -exec chmod 755 {} ;
Change all permissions for files from 666 to 644
find /home//public_html -type f -exec chmod 644 {} ;

another problem is .htaccess clean all php_value and php_flag
find /home -type f -name ‘.htaccess’ -exec grep -Hrn ‘php_value’ ‘{}’ ; find /home -type f -name ‘.htaccess’ -exec grep -Hrn ‘php_flag’ ‘{}’ ;

Check your php.conf
If you have fileuploader, by default FCGI only upload 100k, need changes in
FcgidMaxRequestLen 5120000
5 M in this case

rogeriobrito · January 11, 2012, 12:34pm

Excellent bitpt, thank you very much.