suexec does not work...

Help! (Home for newbies)
1

Hi there, I’ve juste setup a CentOS 5.4 machine with Virtualmin GPL (what a breeze as for e-mail setup!!!) and so I’ve got got Apache installed, with PHP running in FastCGI mode with suexec wrapper.

suexec seems ok, but as a matter of fact, apache always runs as apache:apache, resulting in files and folders created with that user:group settings, which renders them difficult to read/edit through FTP, and other applications have trouble running…

Could someone help ?
Pleeeaaase ! This is really annoying
Thanks in advance !!!

Here are the versions :

Name : httpd
Arch : x86_64
Epoch : 1
Version : 2.2.3
Release : 22.el5.1vm

Name : php
Arch : x86_64
Version : 5.2.10
Release : 1.el5.centos

Here’s Apache build info :

/usr/sbin/httpd -V

Server version: Apache/2.2.3
Server built: Jun 18 2009 17:10:28
Server’s Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with…
-D APACHE_MPM_DIR=“server/mpm/prefork”
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG=“logs/httpd.pid”
-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”
-D DEFAULT_LOCKFILE=“logs/accept.lock”
-D DEFAULT_ERRORLOG=“logs/error_log”
-D AP_TYPES_CONFIG_FILE=“conf/mime.types”
-D SERVER_CONFIG_FILE=“conf/httpd.conf”

Here’s suexec config :

/usr/sbin/suexec -V

-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=100
-D AP_HTTPD_USER=“apache”
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=“public_html”

Here are the relevant part of httpd.conf :
LoadModule suexec_module modules/mod_suexec.so
(so I guess it loads!)

Here is a sample config from a vhost :

SuexecUserGroup “#501” “#501
ServerName blah.tld
ServerAlias webmail. blah.tld
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail. blah.tld
RewriteRule ^(.*) http://blah2.tld/webmail/ [R]
DocumentRoot “/var/www/html”
DirectoryIndex index.html index.htm index.php
Alias /webmail /usr/share/squirrelmail/

Everything is up-to-date and no errors occured at install time…
Please help !!!

2

Howdy,

It doesn’t look like you have a wrapper script setup to get calls to PHP to actually run via fcgid or cgi… which probably means that mod_php is executing them (and doing so as the apache user, as you’re seeing).

You can read through this forum topic here to get a feel for how you’d setup the wrapper script to handle PHP/fcgid requests:

http://www.virtualmin.com/node/8462

You’ll note that there’s some manual configuration to be done in getting all that ready.

The good news is that the next Virtualmin release, version 3.78, will include a built-in way of handling all that on the GPL version.

-Eric

3

Thanks Eric, but it doesn’t seem to work either.

So, here’s what I did :

  1. Modify VirtualHost

[code]<VirtualHost 94.23.212.51:80>
SuexecUserGroup “#524” “#523
ServerName guzabi.net
ServerAlias www.guzabi.net
ServerAlias webmail.guzabi.net
ServerAlias admin.guzabi.net
ServerAlias guzabi.com
ServerAlias www.guzabi.com

DocumentRoot /home/guzabi/public_html

    AddHandler fcgid-script .php5
    FCGIWrapper /home/guzabi/fcgi-bin/php5.fcgi .php

(blah…)[/code]

  1. Create the wrapper file :
  • Create fcgi-bin folder in /home/guzabi
  • Paste the script for php5.fcgi (found here : http://www.virtualmin.com/node/8462)
  • Chown and chmod everything correctly (user ok, perms at 755)
  1. Check PHP is fcgi-ready :

# /usr/bin/php -v PHP 5.2.10 (cli) (built: Nov 13 2009 11:44:05) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

But it does not work, though. Apache is still executing as apache:apache. I just see it by looking at cache files that are created when I visit de website. I delete them, re-launch apache, then visit the site, then chekc them and they are still owned by apache:apache.

I’ve dug a little, though, and found this in my /var/log/httpd/suexec.log :

[2010-04-20 16:11:43]: uid: (548/dinarditeam) gid: (547/547) cmd: php [2010-04-20 16:11:43]: command not in docroot (/usr/bin/php) [2010-04-20 16:11:43]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: wrapper_b.png [2010-04-20 16:11:43]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/images/wrapper_b.png) [2010-04-20 16:11:46]: uid: (510/crisnee) gid: (509/509) cmd: php [2010-04-20 16:11:46]: command not in docroot (/usr/bin/php) [2010-04-20 16:11:46]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: module_wrapped_shadow_b.png [2010-04-20 16:11:46]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/images/module_wrapped_shadow_b.png) [2010-04-20 16:11:46]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: template.css [2010-04-20 16:11:46]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/css/template.css) [2010-04-20 16:11:47]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: clouds-layout.css [2010-04-20 16:11:47]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/css/clouds/clouds-layout.css) [2010-04-20 16:11:47]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: newsletter.css [2010-04-20 16:11:47]: file has no execute permission: (/home/nettoyage-entreprise/public_html/modules/mod_ccnewsletter/assets/newsletter.css) [2010-04-20 16:11:48]: uid: (515/norjan) gid: (514/514) cmd: php [2010-04-20 16:11:48]: command not in docroot (/usr/bin/php) [2010-04-20 16:11:48]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php [2010-04-20 16:11:48]: command not in docroot (/usr/bin/php) [2010-04-20 16:11:48]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php [2010-04-20 16:11:48]: command not in docroot (/usr/bin/php) [2010-04-20 16:11:49]: uid: (510/crisnee) gid: (509/509) cmd: php [2010-04-20 16:11:49]: command not in docroot (/usr/bin/php) [2010-04-20 16:11:49]: uid: (516/styl-nature) gid: (515/515) cmd: php [2010-04-20 16:11:49]: command not in docroot (/usr/bin/php) [2010-04-20 16:11:53]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php [2010-04-20 16:11:53]: command not in docroot (/usr/bin/php)

Does this point you to something else ?

4

Ahh, I see… the VirtualHost you’re working with has a DocumentRoot in /var/www… whereas, suexec expects everything to be in /home.

Try creating a new Virtual Server, which will be created in /home, and setup your website in there… that should do the trick for you :slight_smile:

-Eric

5

Well, sorry but no…

DocumentRoot for that VHOST is /home/guzabi/public_html
(that’s default Virtualmin setting, btw)

[edit] well, it really is /home/username/public_html. My first post is wrong. Sorry ! [/edit]

and suexec docroot is /home [edit] This one at least was right… [/edit]

6

I might have found something.

First, I noticed that the errors in the suexec.log I had noticed were old and probably dated back to a priod where I was experimenting to try and get things working. No new errors appeared, so I guess this is a dead lead.

However, digging into Apache conf files, I found this :

[code]# cat /etc/httpd/conf.d/fcgid.conf

This is the Apache server configuration file for providing FastCGI support

through mod_fcgid

Documentation is available at http://fastcgi.coremail.cn/doc.htm

LoadModule fcgid_module modules/mod_fcgid.so

Use FastCGI to process .fcg .fcgi & .fpl scripts

Don’t do this if mod_fastcgi is present, as it will try to do the same thing

<IfModule !mod_fastcgi.c>
AddHandler fcgid-script fcg fcgi fpl

Sane place to put sockets and shared memory file

SocketPath run/mod_fcgid
SharememPath run/fcgid_shm[/code]
This one seems ok, but see this :

[code]# cat /etc/httpd/conf.d/php.conf

PHP is an HTML-embedded scripting language which attempts to make it

easy for developers to write dynamically generated webpages.

LoadModule php5_module modules/libphp5.so

Cause the PHP interpreter to handle files with a .php extension.

AddHandler php5-script .php
AddType text/html .php

Add index.php to the list of files that will be served as directory

indexes.

DirectoryIndex index.php

Uncomment the following line to allow PHP to pretty-print .phps

files as PHP source code:

#AddType application/x-httpd-php-source .phps[/code]

What ? Handler for PHP files is php5-script directly? How come ?!

How do I write a correct handler that would use fcgid to handle PHP files, and take suexec settings ?

Please, please help…

7

I’ll try and review all that in a bit, though I’m not quite sure what the problem is… but as a reminder, as soon as the new Virtualmin version releases here shortly, this problem will all go away since it’s handled automatically in that version :slight_smile:

-Eric

8

Great. But do you have a time frame for that eagerly awaited new version ?
Thanks…

9

Sorry, all I know is “soon”. Joe is working on packaging it up now, I’m not sure how long it’ll take.

-Eric

10

Okay, here’s the trick : Suexec does NOT work in Virtualmin 2.77 on CentOS 5.4.

Here’s what I did :

  • Install a fresh CentOS 5.4 (on a virtual machine, but it’s a regular CentOS, no tricks)

  • Install (full automatic) Virtualmin on that server

  • Create a server (not the default Apache VHost, a regular server just as if it was a client of mine)

  • Create a PHP script that does fopen(), fwrite() and fclose()

  • Check the created file : tadaaaa, it’s owned by apache:apache.

So please, there clearly is a serious but in here. I can post an issue report if needed, but most of all I desperately need this to work because I have lots of websites that are not working because of this!

Thanks in advance for any help. I can post anything if asked for.

11

As planned, solved by updating to 3.78.
Thanks for your help anyway :slight_smile:

12

Find the fcgid configurations with this command:

 /usr/lib/apache2/suexec -V

-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

The wrapper must be written in the directory: AP_DOC_ROOT to be accessed and run.