httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49439] Bug in mod_userdir which prevents suexec from running
Date Fri, 16 Jul 2010 02:11:10 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49439

--- Comment #6 from Witold Baryluk <baryluk@smp.if.uj.edu.pl> 2010-07-15 22:11:07 EDT
---
(In reply to comment #5)
> thanks for the patch. i installed it on centos v5.5, apache v2.2, and php
> v5.2.13. i restarted apache and still get 500 error. my PHP is using fast cgi.

The configuration is quite complicated, this is how I make it working on my
system:

I have apache2 configured with mod_userdir + mod_suexec + mod_fcgid (for
runing php5-cgi in my case).

On Debian I make:

server# apt-get install apache2 apache2-suexec libapache2-mod-fcgid php5-cgi
server# a2enmod actions suexec userdir fcgid

Be sure to disable mod_php or even uninstall it from system.
server# a2dismod php

Then I have edited  /etc/apache2/sites-available/default and ADDED this at the
end:

    SuexecUserGroup www-data www-data
    <Directory /var/www>
        Action php-fcgi /fcgi-bin/php-fcgi-wrapper
    </Directory>
    <Directory /home/*/public_html/>
        AllowOverride FileInfo AuthConfig Limit
        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
        Order allow,deny
        Allow from all
    </Directory>
    ScriptAliasMatch ^/~([^/]*)/fcgi-bin/(.*) /home/$1/public_html/fcgi-bin/$2
    <Directory /home/*/public_html/fcgi-bin>
        AllowOverride None
        Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
        SetHandler fcgid-script
        Order allow,deny
        Allow from all
    </Directory>

server# cat /etc/apache2/conf.d/php-fcgid.conf
  <IfModule !mod_php4.c>
  <IfModule !mod_php4_filter.c>
  <IfModule !mod_php5.c>
  <IfModule !mod_php5_filter.c>
  <IfModule !mod_php5_hooks.c>
  <IfModule mod_actions.c>
  <IfModule mod_alias.c>
  <IfModule mod_mime.c>
  <IfModule mod_fcgid.c>
    # Path to php.ini – defaults to /etc/phpX/cgi
    DefaultInitEnv PHPRC=/etc/php5/cgi

    # Number of PHP childs that will be launched. Leave undefined to let PHP
decide.
    #DefaultInitEnv PHP_FCGI_CHILDREN 3

    # Maximum requests before a process is stopped and a new one is launched
    #DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000

    # Define a new handler "php-fcgi" for ".php" files, plus the action that
must follow
    AddHandler php-fcgi .php
    Action php-fcgi /fcgi-bin/php-fcgi-wrapper

    # Define the MIME-Type for ".php" files
    AddType application/x-httpd-php .php

    # Define alias "/fcgi-bin/". The action above is using this value, which
means that
    # you could run another "php5-cgi" command by just changing this alias
    #Alias /fcgi-bin/ /var/www/fcgi-bin.d/php5-default/

    # Turn on the fcgid-script handler for all files within the alias
"/fcgi-bin/"
    <Location /fcgi-bin/>
        SetHandler fcgid-script
        Options +ExecCGI
    </Location>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>

server# cat /home/baryluk/public_html/test.php
  <?php
  system("whoami");
  echo "<br/>";
  echo "<br/>";
  system("id");
  echo "<br/>";
  echo "<br/>";
  phpinfo();
  ?>
server# cat /home/baryluk/public_html/.htaccess
  Action php-fcgi /~baryluk/fcgi-bin/php-fcgi-wrapper
server# cat /home/baryluk/public_html/fcgi-bin/php-fcgi-wrapper
  #!/bin/sh
  exec /usr/bin/php5-cgi
server# chmod +x /home/baryluk/public_html/fcgi-bin/php-fcgi-wrapper
server# chown -R baryluk:users /home/baryluk/public_html
server# /etc/init.d/apache2 restart



In http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528062#20 you can find
attachmens which can simplify setup.


This setup on stock Apache server, when visiting
http://localhost/~baryluk/test.php, works, but shows "www-data". After using
patch, it shows baryluk, as expected.

I'm using apache2-mpm-worker 2.2.15-5 package and libapache2-mod-fcgid
1:2.3.5-2, php5-cgi 5.3.2-1.


Apache will run with one process at the "root" user, and few workers with
"www-data". It will also spawn fcgi using suexec when accessing user fcgi
scripts, including php in userdirs, if configured as above. Static files in
userdir will still be served using "www-data" user, so be sure that public_html
directory and its content is readable, also when php scripts will create some
files, I have ACL for this:

server# getfacl home/baryluk
# file: home/baryluk
# owner: baryluk
# group: users
user::rwx
group::---
group:www-data:--x
mask::--x
other::---

server# getfacl home/baryluk/public_html
# file: home/baryluk/public_html
# owner: baryluk
# group: users
user::rwx
group::---
group:www-data:r-x
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:www-data:r-x
default:mask::r-x
default:other::---

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message