httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Makroh...@gmx.net
Subject [users@httpd] unexpected behaviour of suexec dissolving users / uid
Date Wed, 20 Aug 2008 14:28:09 GMT
Hello List.

I'm trying to set up multiple web-applications on a debian etch operating system using apache2
in combination with mod_fcgid and suexec. The versions are the  ones contained in the up-to-date
debian etch distribution. I used apt to install all components.

Each application (=vhost) should run under a distinct user. The apache user and script users
should have read-only access to the files. The script users (borki, mapserver and mapbender)
have no homedir and no shell for security reasons. The user 'sysadmin' which is not used by
any script is the human admin that may log in via ssh and maintain the application. He should
be the only one with write permissions.

The vhost on Port 80 is running some php scripts, that's working fine (but suexec.log shows
an unexpected uid. A whois.php shows the expected user like defined in the vhost section).
Port 81 executes a cgi Programm without problems, too (81 executes no php, for that it has
no wrapper, a vhost.cgi shows the correct user, suexec.log shows an unexpected uid, again).
The problem lies in the vhost on Port 82. This one should be configured identically to the
80 vhost, to run php scripts.
Here I came over a weird problem. suexec states users that do not appear in my config files.
I tried playing around with permissions and SuexecUserGroup's, without success so long.

It would be great if someone could have a look at my configuration and logs, maybe there is
an obvious, simple error. Please tell me if you are missing some informations or if I should
perform some more tests. It's very unlikely that I might have found a bug, but if an experienced
user thinks that this might be the case, please tell that, too. If the described behaviour
is the expected behaviour, please inform me what I got wrong.

I have read all docs that I have found and tried to understand them. Anyhow, I'm quite a newby,
so the problem could be caused by anything from a typo, up to a lack of basical understanding.
I gave my best to solute that case, but I'm really stuck here. Any help is appreciated, even
RTFM or STFW. But please tell me the ressources, too 'cause I have tried searching already.
If you see some security issues that I have overlooked, please feel free to tell me. The goal
is an as-secure-as possible server, without chrooting apache. If one application gets compromised,
the intruder should not be able to affect other applications.

Thank you in advance for taking your time!

Johannes

**************************************************************************************************************
My vhost config:

mybox:/# cat /etc/apache2/sites-available/default
#vhost1: running fine as user borki (php scripts)
NameVirtualHost *:80
<VirtualHost *:80>

        ServerAdmin support@XXX.org
        SuexecUserGroup borki borki
        DocumentRoot /var/www/borki/htdocs

        <Directory /var/www/borki/htdocs>
                Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
                AddHandler fcgid-script .php
                FCGIWrapper /var/www/borki/conf/php5-fcgid-htdocs .php
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog /var/log/apache2/borki.error.log
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
        ServerSignature Off

</VirtualHost>

# vhost2: running fine as user mapserver, has webgis group rights (cgi, no php)
NameVirtualHost *:81
<VirtualHost *:81>

        ServerAdmin support@XXX.org
        SuexecUserGroup mapserver webgis
        DocumentRoot /var/www/mapserver

        <Directory /var/www/mapserver>
                AllowOverride None
                SetHandler fcgid-script
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>


        ErrorLog /var/log/apache2/mapserver.error.log
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
        ServerSignature Off

</VirtualHost>

#vhost3 is not running, should be the same as vhost1, but with user mbweb
NameVirtualHost *:82
<VirtualHost *:82>

        ServerAdmin support@XXX.org
        SuexecUserGroup mbweb mbweb #PLEASE NOTE THE USER CONFIGURED HERE
        DocumentRoot /var/www/mapbender/http

        <Directory /var/www/mapserver/http>
                Options +ExecCGI +MultiViews +FollowSymLinks -Indexes
                AddHandler fcgid-script .php
                FCGIWrapper /var/www/mapbender/conf/php5-fcgid-htdocs .php
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>


        ErrorLog /var/log/apache2/mapbender.error.log
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
        ServerSignature Off

</VirtualHost>

**************************************************************************************************************
File permissions:

mybox:/# ls -al /var/www
insgesamt 20
drwxr-xr-x  5 root      root   4096 2008-08-16 15:58 .
drwxr-xr-x 14 root      root   4096 2008-07-30 09:41 ..
drwxr-x--x  6 sysadmin  borki  4096 2008-08-12 16:09 borki
drwxr-x--x 11 sysadmin  mbweb  4096 2008-08-20 13:48 mapbender
dr-xr-xr-x  2 mapserver webgis 4096 2008-08-22 09:45 mapserver

mybox:/# ls -al /var/www/borki/
insgesamt 24
drwxr-x--x 6 sysadmin borki  4096 2008-08-12 16:09 .
drwxr-xr-x 5 root     root   4096 2008-08-16 15:58 ..
dr-xr-x--- 2 borki    borki  4096 2008-08-21 10:10 conf
drwxr-x--- 6 sysadmin borki  4096 2008-08-22 09:44 htdocs
drwxrwx--- 2 sysadmin borki  4096 2008-08-06 15:00 log
drwxr-x--- 4 sysadmin webgis 4096 2008-08-07 12:24 mapfile

mybox:/# ls -al /var/www/borki/conf/
insgesamt 56
dr-xr-x--- 2 borki    borki  4096 2008-08-21 10:10 .
drwxr-x--x 6 sysadmin borki  4096 2008-08-12 16:09 ..
-r-xr-x--- 1 borki    borki   105 2008-08-21 10:10 php5-fcgid-htdocs
-rw-r--r-- 1 root     root  42286 2008-08-21 10:01 php.ini


mybox:/# ls -al /var/www/borki/htdocs/
insgesamt 32
drwxr-x--- 6 sysadmin borki  4096 2008-08-22 09:44 .
drwxr-x--x 6 sysadmin borki  4096 2008-08-12 16:09 ..
drwxr-x--- 2 sysadmin borki  4096 2008-08-07 13:17 css
drwxr-x--- 7 sysadmin borki  4096 2008-08-12 16:47 img
drwxrwx--- 2 borki    borki 12288 2008-08-22 09:45 tmp
drwxr-x--- 2 sysadmin borki  4096 2008-08-21 15:07 www

mybox:/# ls -al /var/www/borki/htdocs/www/
insgesamt 320
drwxr-x--- 2 sysadmin borki  4096 2008-08-21 15:07 .
drwxr-x--- 6 sysadmin borki  4096 2008-08-22 09:44 ..
-rw-r----- 1 sysadmin borki 14195 2008-08-21 15:06 index.php
[...]

mybox:/# ls -al /var/www/mapserver/
insgesamt 4196
dr-xr-xr-x 2 mapserver webgis    4096 2008-08-22 09:45 .
drwxr-xr-x 5 root      root      4096 2008-08-16 15:58 ..
-r-x------ 1 mapserver webgis 4269751 2008-08-05 10:24 mapserv
-r-x------ 1 mapserver webgis     128 2008-08-21 15:10 whoami.cgi

mybox:/# ls -al /var/www/mapbender/
insgesamt 80
drwxr-x--x 11 sysadmin mbweb  4096 2008-08-20 13:48 .
drwxr-xr-x  5 root     root   4096 2008-08-16 15:58 ..
dr-xr-x---  2 mbweb    mbweb  4096 2008-08-21 10:16 conf
drwxr-x--- 14 sysadmin mbweb  4096 2008-08-22 10:40 http
drwxrwx---  2 sysadmin mbweb  4096 2008-07-11 17:43 log
[...]

mybox:/# ls -al /var/www/mapbender/conf/
insgesamt 88
dr-xr-x---  2 mbweb    mbweb  4096 2008-08-21 10:16 .
drwxr-x--x 11 sysadmin mbweb  4096 2008-08-20 13:48 ..
-r-xr-x---  1 mbweb    mbweb    79 2008-08-21 10:16 php5-fcgid-htdocs
-rw-r--r--  1 root     root  42286 2008-08-21 10:13 php.ini
[...]

mybox:/# ls -al /var/www/mapbender/http/
insgesamt 72
drwxr-x--- 14 sysadmin mbweb 4096 2008-08-22 10:40 .
drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 ..
drwxr-x---  2 sysadmin mbweb 4096 2008-07-11 17:43 css
drwxr-x--- 14 sysadmin mbweb 4096 2008-07-11 17:43 img
-rw-r-----  1 sysadmin mbweb    5 2008-08-20 13:47 test.htm
-rw-r-----  1 sysadmin mbweb   37 2008-08-22 09:52 test.php
drwxr-x---  2 sysadmin mbweb 4096 2008-07-11 17:43 tmp

**************************************************************************************************************
The php wrappers for vhost1 and vhost3:

mybox:/# cat /var/www/borki/conf/php5-fcgid-htdocs
#!/bin/sh
#PHPRC="/etc/php5/cgi/borki/"
PHPRC="/var/www/borki/conf/"
export PHPRC
exec /usr/bin/php5-cgi
mybox:/# cat /var/www/mapbender/conf/php5-fcgid-htdocs
#!/bin/sh
PHPRC="/var/www/mapbender/conf/"
export PHPRC
exec /usr/bin/php5-cgi

**************************************************************************************************************
The users:

mybox:/# cat /etc/group
[...]
wheel:x:1001:root,someuser
remote:x:1002:someuser
sysadmin:x:1003:
borki:x:1004:www-data
mapserver:x:1005:
webgis:x:1006:borki,mbweb
mbweb:x:1007:www-data

**************************************************************************************************************
What works:

http://10.42.1.27/www/ -> running fine as user borki
http://10.42.1.27:81/whoami.cgi -> running fine as user mapserver
(I verified that using whoami.php/cgi scripts)

http://10.42.1.27:82/test.htm -> shows my html (That shows that I'm on the correct server
in the correct directory)

**************************************************************************************************************
The problem and the corresponding logs:

http://10.42.1.27:82/test.htm -> Does NOT run (Apache on Browser: Service Temporarily unavailable)

suexec.log:
[2008-08-22 11:17:11]: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php //1004 IS BORKI BUT
I WOULD EXPECT MBWEB(1007)//
[2008-08-22 11:17:11]: target uid/gid (1004/1007) mismatch with directory (1001/1007) or program
(1001/1007)

main.error.log (configured in apache2.conf)
suexec policy violation: see suexec log for more details
[Fri Aug 22 11:17:45 2008] [notice] mod_fcgid: server /var/www/mapbender/http/test.php(21037)
started
[Fri Aug 22 11:17:45 2008] [notice] mod_fcgid: process /var/www/mapbender/http/test.php(21036)
exit(server exited), terminated by calling exit(), return code: 120

mapbender.error.log:
[Fri Aug 22 11:19:43 2008] [warn] mod_fcgid: can't apply process slot for /var/www/mapbender/http/test.php

- Please ignore the timestamps, I reloaded the site multiple times to get the logs - 

**************************************************************************************************************
Additional infos and tests, partly performed during a discussion in #apache on freenode:

When I call vhost1 (working fine as borki) suexec.log states: 
[2008-08-22 13:15:11]: uid: (1002/borki) gid: (1004/1004) cmd: php5-fcgid-htdocs //1002 IS
REMOTE I WOULD EXPECT BORKI (1004)// Note that a whois.php prints out user borki

When I call vhost2 suexec.log states the following:
[2008-08-22 14:19:53]: uid: (1003/mapserver) gid: (1006/1006) cmd: mapserv //1003 IS SYSADMIN,
I WOULD EXPECT MAPSERVER  (1005)// Note that a whois.cgi prints out user mapserver


<helper> me: can you set mweb:mweb on test.php ?
<helper> me: for testing...

<me> test.pht, ../http and ../../mapbender have owner mbweb now.
suexec.log states: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php. file has no execute permission.
 //1004 IS BORKI, I WOULD EXPECT MBWEB (1007)//

<me> test.php is now 750 mbweb.mbweb. 
suexec.log: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php //1004 IS BORKI, I WOULD EXPECT
MBWEB (1007)//
main.error.log (apache): suexec failure: could not open log file 
fopen: Permission denied (test.php is just a simple echo, without any fopen).
mapbender.error.log (application test.php):  [warn] mod_fcgid: can't apply process slot for
/var/www/mapbender/http/test.php

--
makrohard

Sorry for the following free-mailer signature ;)
-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message