Hi there, I’ve juste setup a CentOS 5.4 machine with Virtualmin GPL (what a breeze as for e-mail setup!!!) and so I’ve got got Apache installed, with PHP running in FastCGI mode with suexec wrapper.
suexec seems ok, but as a matter of fact, apache always runs as apache:apache, resulting in files and folders created with that user:group settings, which renders them difficult to read/edit through FTP, and other applications have trouble running…
Could someone help ?
Pleeeaaase ! This is really annoying
Thanks in advance !!!
Here are the versions :
Name : httpd
Arch : x86_64
Epoch : 1
Version : 2.2.3
Release : 22.el5.1vm
Name : php
Arch : x86_64
Version : 5.2.10
Release : 1.el5.centos
Here’s Apache build info :
/usr/sbin/httpd -V
Server version: Apache/2.2.3
Server built: Jun 18 2009 17:10:28
Server’s Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with…
-D APACHE_MPM_DIR=“server/mpm/prefork”
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG=“logs/httpd.pid”
-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”
-D DEFAULT_LOCKFILE=“logs/accept.lock”
-D DEFAULT_ERRORLOG=“logs/error_log”
-D AP_TYPES_CONFIG_FILE=“conf/mime.types”
-D SERVER_CONFIG_FILE=“conf/httpd.conf”
It doesn’t look like you have a wrapper script setup to get calls to PHP to actually run via fcgid or cgi… which probably means that mod_php is executing them (and doing so as the apache user, as you’re seeing).
You can read through this forum topic here to get a feel for how you’d setup the wrapper script to handle PHP/fcgid requests:
Chown and chmod everything correctly (user ok, perms at 755)
Check PHP is fcgi-ready :
# /usr/bin/php -v
PHP 5.2.10 (cli) (built: Nov 13 2009 11:44:05)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
But it does not work, though. Apache is still executing as apache:apache. I just see it by looking at cache files that are created when I visit de website. I delete them, re-launch apache, then visit the site, then chekc them and they are still owned by apache:apache.
I’ve dug a little, though, and found this in my /var/log/httpd/suexec.log :
[2010-04-20 16:11:43]: uid: (548/dinarditeam) gid: (547/547) cmd: php
[2010-04-20 16:11:43]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:43]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: wrapper_b.png
[2010-04-20 16:11:43]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/images/wrapper_b.png)
[2010-04-20 16:11:46]: uid: (510/crisnee) gid: (509/509) cmd: php
[2010-04-20 16:11:46]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:46]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: module_wrapped_shadow_b.png
[2010-04-20 16:11:46]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/images/module_wrapped_shadow_b.png)
[2010-04-20 16:11:46]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: template.css
[2010-04-20 16:11:46]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/css/template.css)
[2010-04-20 16:11:47]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: clouds-layout.css
[2010-04-20 16:11:47]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/css/clouds/clouds-layout.css)
[2010-04-20 16:11:47]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: newsletter.css
[2010-04-20 16:11:47]: file has no execute permission: (/home/nettoyage-entreprise/public_html/modules/mod_ccnewsletter/assets/newsletter.css)
[2010-04-20 16:11:48]: uid: (515/norjan) gid: (514/514) cmd: php
[2010-04-20 16:11:48]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:48]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php
[2010-04-20 16:11:48]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:48]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php
[2010-04-20 16:11:48]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:49]: uid: (510/crisnee) gid: (509/509) cmd: php
[2010-04-20 16:11:49]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:49]: uid: (516/styl-nature) gid: (515/515) cmd: php
[2010-04-20 16:11:49]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:53]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php
[2010-04-20 16:11:53]: command not in docroot (/usr/bin/php)
First, I noticed that the errors in the suexec.log I had noticed were old and probably dated back to a priod where I was experimenting to try and get things working. No new errors appeared, so I guess this is a dead lead.
However, digging into Apache conf files, I found this :
[code]# cat /etc/httpd/conf.d/fcgid.conf
This is the Apache server configuration file for providing FastCGI support
I’ll try and review all that in a bit, though I’m not quite sure what the problem is… but as a reminder, as soon as the new Virtualmin version releases here shortly, this problem will all go away since it’s handled automatically in that version
Okay, here’s the trick : Suexec does NOT work in Virtualmin 2.77 on CentOS 5.4.
Here’s what I did :
Install a fresh CentOS 5.4 (on a virtual machine, but it’s a regular CentOS, no tricks)
Install (full automatic) Virtualmin on that server
Create a server (not the default Apache VHost, a regular server just as if it was a client of mine)
Create a PHP script that does fopen(), fwrite() and fclose()
Check the created file : tadaaaa, it’s owned by apache:apache.
So please, there clearly is a serious but in here. I can post an issue report if needed, but most of all I desperately need this to work because I have lots of websites that are not working because of this!
Thanks in advance for any help. I can post anything if asked for.