suexec does not work...

12 posts / 0 new
Last post
#1 Tue, 04/20/2010 - 01:49
guzabi

suexec does not work...

Hi there, I've juste setup a CentOS 5.4 machine with Virtualmin GPL (what a breeze as for e-mail setup!!!) and so I've got got Apache installed, with PHP running in FastCGI mode with suexec wrapper.

suexec seems ok, but as a matter of fact, apache always runs as apache:apache, resulting in files and folders created with that user:group settings, which renders them difficult to read/edit through FTP, and other applications have trouble running...

Could someone help ? Pleeeaaase ! This is really annoying
Thanks in advance !!!

Here are the versions :

Name : httpd
Arch : x86_64
Epoch : 1
Version : 2.2.3
Release : 22.el5.1vm

Name : php
Arch : x86_64
Version : 5.2.10
Release : 1.el5.centos

Here's Apache build info :
# /usr/sbin/httpd -V
Server version: Apache/2.2.3
Server built: Jun 18 2009 17:10:28
Server's Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Here's suexec config :
# /usr/sbin/suexec -V
-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX="public_html"

Here are the relevant part of httpd.conf :
LoadModule suexec_module modules/mod_suexec.so
(so I guess it loads!)

Here is a sample config from a vhost :
<VirtualHost x.x.x.x:80>
SuexecUserGroup "#501" "#501"
ServerName blah.tld
ServerAlias webmail. blah.tld
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail. blah.tld
RewriteRule ^(.*) http://blah2.tld/webmail/ [R]
DocumentRoot "/var/www/html"
DirectoryIndex index.html index.htm index.php
Alias /webmail /usr/share/squirrelmail/
</VirtualHost>

Everything is up-to-date and no errors occured at install time... Please help !!!

Tue, 04/20/2010 - 08:50
andreychek

Howdy,

It doesn't look like you have a wrapper script setup to get calls to PHP to actually run via fcgid or cgi... which probably means that mod_php is executing them (and doing so as the apache user, as you're seeing).

You can read through this forum topic here to get a feel for how you'd setup the wrapper script to handle PHP/fcgid requests:

http://www.virtualmin.com/node/8462

You'll note that there's some manual configuration to be done in getting all that ready.

The good news is that the next Virtualmin release, version 3.78, will include a built-in way of handling all that on the GPL version.

-Eric

Tue, 04/20/2010 - 09:46 (Reply to #2)
guzabi

Thanks Eric, but it doesn't seem to work either.

So, here's what I did :

  1. Modify VirtualHost
<VirtualHost 94.23.212.51:80>
        SuexecUserGroup "#524" "#523"  
        ServerName guzabi.net
        ServerAlias www.guzabi.net
        ServerAlias webmail.guzabi.net
        ServerAlias admin.guzabi.net
        ServerAlias guzabi.com
        ServerAlias www.guzabi.com
 
    DocumentRoot /home/guzabi/public_html
 
        AddHandler fcgid-script .php5
        FCGIWrapper /home/guzabi/fcgi-bin/php5.fcgi .php
 
(blah...)
  1. Create the wrapper file :

- Create fcgi-bin folder in /home/guzabi - Paste the script for php5.fcgi (found here : http://www.virtualmin.com/node/8462) - Chown and chmod everything correctly (user ok, perms at 755)

  1. Check PHP is fcgi-ready :
# /usr/bin/php -v
PHP 5.2.10 (cli) (built: Nov 13 2009 11:44:05) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

But it does not work, though. Apache is still executing as apache:apache. I just see it by looking at cache files that are created when I visit de website. I delete them, re-launch apache, then visit the site, then chekc them and they are still owned by apache:apache.

I've dug a little, though, and found this in my /var/log/httpd/suexec.log :

[2010-04-20 16:11:43]: uid: (548/dinarditeam) gid: (547/547) cmd: php
[2010-04-20 16:11:43]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:43]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: wrapper_b.png
[2010-04-20 16:11:43]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/images/wrapper_b.png)
[2010-04-20 16:11:46]: uid: (510/crisnee) gid: (509/509) cmd: php
[2010-04-20 16:11:46]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:46]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: module_wrapped_shadow_b.png
[2010-04-20 16:11:46]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/images/module_wrapped_shadow_b.png)
[2010-04-20 16:11:46]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: template.css
[2010-04-20 16:11:46]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/css/template.css)
[2010-04-20 16:11:47]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: clouds-layout.css
[2010-04-20 16:11:47]: file has no execute permission: (/home/nettoyage-entreprise/public_html/templates/yoo_tweety/css/clouds/clouds-layout.css)
[2010-04-20 16:11:47]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: newsletter.css
[2010-04-20 16:11:47]: file has no execute permission: (/home/nettoyage-entreprise/public_html/modules/mod_ccnewsletter/assets/newsletter.css)
[2010-04-20 16:11:48]: uid: (515/norjan) gid: (514/514) cmd: php
[2010-04-20 16:11:48]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:48]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php
[2010-04-20 16:11:48]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:48]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php
[2010-04-20 16:11:48]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:49]: uid: (510/crisnee) gid: (509/509) cmd: php
[2010-04-20 16:11:49]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:49]: uid: (516/styl-nature) gid: (515/515) cmd: php
[2010-04-20 16:11:49]: command not in docroot (/usr/bin/php)
[2010-04-20 16:11:53]: uid: (534/nettoyage-entreprise) gid: (533/533) cmd: php
[2010-04-20 16:11:53]: command not in docroot (/usr/bin/php)

Does this point you to something else ?

Tue, 04/20/2010 - 09:51
andreychek

Ahh, I see... the VirtualHost you're working with has a DocumentRoot in /var/www... whereas, suexec expects everything to be in /home.

Try creating a new Virtual Server, which will be created in /home, and setup your website in there... that should do the trick for you :-)

-Eric

Tue, 04/20/2010 - 16:22 (Reply to #4)
guzabi

Well, sorry but no...

DocumentRoot for that VHOST is /home/guzabi/public_html (that's default Virtualmin setting, btw)

[edit] well, it really is /home/username/public_html. My first post is wrong. Sorry ! [/edit]

and suexec docroot is /home [edit] This one at least was right... [/edit]

Thu, 04/22/2010 - 07:54
guzabi

I might have found something.

First, I noticed that the errors in the suexec.log I had noticed were old and probably dated back to a priod where I was experimenting to try and get things working. No new errors appeared, so I guess this is a dead lead.

However, digging into Apache conf files, I found this :

# cat /etc/httpd/conf.d/fcgid.conf 
 
 
# This is the Apache server configuration file for providing FastCGI support
# through mod_fcgid
#
# Documentation is available at http://fastcgi.coremail.cn/doc.htm
 
LoadModule fcgid_module modules/mod_fcgid.so
 
# Use FastCGI to process .fcg .fcgi & .fpl scripts
# Don't do this if mod_fastcgi is present, as it will try to do the same thing
<IfModule !mod_fastcgi.c>
    AddHandler fcgid-script fcg fcgi fpl
</IfModule>
 
# Sane place to put sockets and shared memory file
SocketPath run/mod_fcgid
SharememPath run/fcgid_shm

This one seems ok, but see this :

# cat /etc/httpd/conf.d/php.conf
 
 
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
 
LoadModule php5_module modules/libphp5.so
 
#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php
 
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
 
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

What ? Handler for PHP files is php5-script directly? How come ?!

How do I write a correct handler that would use fcgid to handle PHP files, and take suexec settings ?

Please, please help...

Thu, 04/22/2010 - 12:59
andreychek

I'll try and review all that in a bit, though I'm not quite sure what the problem is... but as a reminder, as soon as the new Virtualmin version releases here shortly, this problem will all go away since it's handled automatically in that version :-)

-Eric

Thu, 04/22/2010 - 13:18 (Reply to #7)
guzabi

Great. But do you have a time frame for that eagerly awaited new version ? Thanks...

Thu, 04/22/2010 - 13:20
andreychek

Sorry, all I know is "soon". Joe is working on packaging it up now, I'm not sure how long it'll take.

-Eric

Sun, 04/25/2010 - 15:04
guzabi

Okay, here's the trick : Suexec does NOT work in Virtualmin 2.77 on CentOS 5.4.

Here's what I did : - Install a fresh CentOS 5.4 (on a virtual machine, but it's a regular CentOS, no tricks)

  • Install (full automatic) Virtualmin on that server

  • Create a server (not the default Apache VHost, a regular server just as if it was a client of mine)

  • Create a PHP script that does fopen(), fwrite() and fclose()

  • Check the created file : tadaaaa, it's owned by apache:apache.

So please, there clearly is a serious but in here. I can post an issue report if needed, but most of all I desperately need this to work because I have lots of websites that are not working because of this!

Thanks in advance for any help. I can post anything if asked for.

Sun, 05/02/2010 - 04:42
guzabi

As planned, solved by updating to 3.78. Thanks for your help anyway :-)

Wed, 05/08/2013 - 12:50
ppostma1

Find the fcgid configurations with this command:

 /usr/lib/apache2/suexec -V

-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

The wrapper must be written in the directory: AP_DOC_ROOT to be accessed and run.

Topic locked