Setting PHP running as domain owner (CGI or FCGI) has no effect (RESOLVED!)

Hi,

I cannot create or delete files in my user’s public_html directory which is 0750. I can see in WinSCP that it belongs to the very same user and group than the FCGI user (according to the panel).
I tried changing the execution mode to Apache and CGI, and always got the same error message in the log:
mkdir(): Permission denied in /home/atla…

Here’s my Apache configuration:

<VirtualHost MY.IP.ADDRESS.IS:80>
SuexecUserGroup “#1013” “#1006
ServerName atlantica.domain.com
ServerAlias www.atlantica.domain.com
DocumentRoot /home/atlantica.domain.com/public_html
ErrorLog /var/log/virtualmin/atlantica.domain.com_error_log
CustomLog /var/log/virtualmin/atlantica.domain.com_access_log combined
ScriptAlias /cgi-bin/ /home/atlantica.domain.com/cgi-bin/
ScriptAlias /awstats/ /home/atlantica.domain.com/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/atlantica.domain.com/public_html>
Options -Indexes +IncludesNOEXEC +FollowSymLinks +ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/atlantica.domain.com/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/atlantica.domain.com/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/atlantica.domain.com/cgi-bin>
allow from all
</Directory>
<Files awstats.pl>
AuthName “atlantica.domain.com statistics”
AuthType Basic
AuthUserFile /home/atlantica.domain.com/.awstats-htpasswd
require valid-user
</Files>
PerlRequire /etc/webmin/virtualmin-google-analytics/apachemod.pl
PerlOutputFilterHandler Virtualmin::GoogleAnalytics
RemoveHandler .php
RemoveHandler .php5
IPCCommTimeout 31
FcgidMaxRequestLen 1073741824
</VirtualHost>

If someone could help that would be great!

Thanks.

SOLUTION:
In /etc/apache2/mods-available/php5_cgi, I had this:

# This file replaces old system MIME types and sets them only in the # Apache webserver

application/x-httpd-php phtml pht php

application/x-httpd-php3 php3

application/x-httpd-php4 php4

application/x-httpd-php5 php

<FilesMatch “.+.ph(p[345]?|t|tml)$”>
SetHandler application/x-httpd-php

application/x-httpd-php-source phps

<FilesMatch “.+.phps$”>
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it’s recommended to enable access to the files
# only in specific virtual host or directory
Order Deny,Allow
Deny from all

Deny access to files without filename (e.g. ‘.php’)

<FilesMatch “^.ph(p[345]?|t|tml|ps)$”>
Order Deny,Allow
Deny from all

To enable PHP CGI site-wide, just uncomment following lines, however

as a security measure, it’s recommended to enable PHP just in the

specific virtual servers or just specific directories

#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#<Directory “/usr/lib/cgi-bin”>

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

#
#Action application/x-httpd-php /cgi-bin/php5

Once I commented the 2 lines SetHandler application/x-httpd-php, the issue was fixed :slight_smile:

How exactly and as which user are you trying to create the directory?

Through <?php mkdir(‘mydir’); ?>
public_html belongs to user 1013, part of the same name’s group 1006, which is the same user and group as seen in Virtualmin > atlantica.domain.com > Configure Website > User and Group

Can you double-check that the PHP script is executed in FCGId mode? Otherwise, if it’s executed through Apache’s mod_php, the webserver has no write permission on the public_html.

Triple-checked

In Virtualmin interface > Server configuration > Website options:
Run CGI scripts as domain owner? YES
PHP script execution mode FCGId

Howdy,

What if you log into your server as the Virtual Server owner over SSH or FTP – can you create a directory within the public_html folder?

I know you said public_html was owned by that user, this is just a troubleshooting step in case something weird is going on :slight_smile:

Also, you mentioned that your PHP script is using this:

mkdir('mydir')

Is that an absolute, or relative path?

Just to rule out some sort of relative path confusion, I’d suggest using a full absolute path there. Ie, something like this:

mkdir('/home/atlantica.domain.com/public_html/foo')

Does that make any difference?

-Eric

Hi Eric, and thanks for your answer.

Actually, although Virtualmin tells me that PHP will be executed as FCGI on this domain, I tried my script after changing the CHMOD to 0777. It worked, the directory got created, but… owned by www-data!

So actually my question is now different: what can prevent on a system to enable the FCGI (or CGI) setting in Virtualmin? (actually I can enable it, it just has no effect)

Thanks!

Hmm, if I recall correctly, there was some issue with FCGId setup a number of Virtualmin versions back. Something had to be changed in an Apache config file for FCGId to become effective. I’ll dig a bit and report back.

EDIT: Check out your file /etc/apache2/mods-available/php5.conf. The SetHandler directives in there need to be commented out with a “#” character. If they are not, PHP will be served by mod_php and not FCGId, no matter what you configure in Virtualmin.

Thanks for your answer!

This is the content of php5.conf. SetHandler was already commented… :frowning:

<FilesMatch “.+.ph(p[345]?|t|tml)$”>
# SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch “.+.phps$”>
# SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it’s recommended to enable access to the files
# only in specific virtual host or directory
Order Deny,Allow
Deny from all
</FilesMatch>

Deny access to files without filename (e.g. ‘.php’)

<FilesMatch “^.ph(p[345]?|t|tml|ps)$”>
Order Deny,Allow
Deny from all
</FilesMatch>

Running PHP scripts in user directories is disabled by default

To re-enable PHP in user directories comment the following lines

(from <IfModule …> to </IfModule>.) Do NOT set it to On as it

prevents .htaccess files from disabling it.

<IfModule mod_userdir.c>
<Directory /home/*/public_html>
php_admin_value engine Off
</Directory>
</IfModule>

As a troubleshooting step, you could always try disabling mod_php in Apache.

To do that, you can run:

a2dismod php5

And then restart Apache:

/etc/init.d/apache2 restart

Later, to re-enable it (if you need it), you can run:

a2enmod php5

I’m curious if disabling mod_php allows the script to run normally.

-Eric

Just tried it, I get to download the PHP file!

I just updated the Apache config in the question.
Can anyone check if there’s nothing abnormal?

That sounds like it is completely ignoring the handler settings in the VirtualHost configuration. Are you seeing any errors in Apache’s error log?

Also, out of curiosity, do you have the same problem when using “CGI” mode rather than FCGID?

And is there by chance a .htaccess file in either “/home/atlantica.domain.com” or “/home/atlantica.domain.com/public_html”?

If so, you may want to temporarily remove it, as the contents of a .htaccess file could override PHP execution settings such as this.

-Eric

No error in Apache log. Only when I try to create the directory without the adequate permissions.

I have the exact same problem with CGI.

I deleted the .htaccess (which just contained Rewrite directives) and nothing changed (the dir is created by www-data).

Very odd. I have no explanation for that without taking a look at things myself. Only quick (but undesirable due to effects on security) fix I can see is turning mod_php back on, switching the site to use it, and change the permissions of public_html to 770.

Now I have updated to 0.96, the new version, which states:

"The following new features are available in Virtualmin 3.96.gpl …

PHP and symlink security fixes
For virtual servers using CGI or fcgid mode for executing PHP, mod_php mode is now forcibly disabled to prevent potential security issues. This is also done for all domains at installation time.
Also, all existing virtual servers using the FollowSymLinks option will be converted to SymLinksifOwnerMatch, to protect against malicious links into other domain’s directories."

Well, suddenly all my virtual servers executing as FCGId (about 50) have stopped working, and are serving directly the content of the PHP file! I had to manually change them to mod_php, which will bring ownership problems. I really need to resolve this (new) issue…

Hmm, well, it sounds like something was already out of the ordinary to begin with, and it’s possible the new changes in the Apache are causing that to be even more awry.

The only two changes it would have made to your Apache config are:

  1. It would have added this line:

php_admin_value engine Off

  1. It would have changed the option “FollowSymlinks” to “SymLinksIfOwnerMatch”.

You could try changing those back for one of your Virtual Servers to see which is causing the problem you’re seeing. However, those shouldn’t cause any problems in most circumstances.

-Eric

Same problem over here after the update to Virtualmin 3.96.gpl.

All www.domain.com/phpmyadmin and www.domain.com/webmail sites running on fcgid are down. The www.domain.com works well over here.

For virtual servers using CGI or fcgid mode for executing PHP, mod_php mode is now forcibly disabled to prevent potential security issues.

How can we turn this(feature?) back to the old situation ?