Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 8765 invoked from network); 20 Aug 2008 14:28:53 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 20 Aug 2008 14:28:53 -0000 Received: (qmail 93148 invoked by uid 500); 20 Aug 2008 14:28:40 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 93133 invoked by uid 500); 20 Aug 2008 14:28:40 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 93122 invoked by uid 99); 20 Aug 2008 14:28:40 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Aug 2008 07:28:40 -0700 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=IP_LINK_PLUS,NORMAL_HTTP_TO_IP,SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Makrohard@gmx.net designates 213.165.64.20 as permitted sender) Received: from [213.165.64.20] (HELO mail.gmx.net) (213.165.64.20) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 20 Aug 2008 14:27:43 +0000 Received: (qmail 7233 invoked by uid 0); 20 Aug 2008 14:28:10 -0000 Received: from 141.40.111.5 by www139.gmx.net with HTTP; Wed, 20 Aug 2008 16:28:09 +0200 (CEST) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" Date: Wed, 20 Aug 2008 16:28:09 +0200 From: Makrohard@gmx.net Message-ID: <20080820142809.220500@gmx.net> MIME-Version: 1.0 To: users@httpd.apache.org X-Authenticated: #410733 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX18lLtVa7LAldvdVb6EpyDG+DVrs+dzVIlcG5emX2E 2lnBorYjcFq0bm7t0Wsb97z3AQonVIwjwbkw== X-GMX-UID: yxCfcBdiMmA6WAYobWFnzdc5MjQ1Nx19 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] unexpected behaviour of suexec dissolving users / uid Hello List. I'm trying to set up multiple web-applications on a debian etch operating system using apache2 in combination with mod_fcgid and suexec. The versions are the ones contained in the up-to-date debian etch distribution. I used apt to install all components. Each application (=vhost) should run under a distinct user. The apache user and script users should have read-only access to the files. The script users (borki, mapserver and mapbender) have no homedir and no shell for security reasons. The user 'sysadmin' which is not used by any script is the human admin that may log in via ssh and maintain the application. He should be the only one with write permissions. The vhost on Port 80 is running some php scripts, that's working fine (but suexec.log shows an unexpected uid. A whois.php shows the expected user like defined in the vhost section). Port 81 executes a cgi Programm without problems, too (81 executes no php, for that it has no wrapper, a vhost.cgi shows the correct user, suexec.log shows an unexpected uid, again). The problem lies in the vhost on Port 82. This one should be configured identically to the 80 vhost, to run php scripts. Here I came over a weird problem. suexec states users that do not appear in my config files. I tried playing around with permissions and SuexecUserGroup's, without success so long. It would be great if someone could have a look at my configuration and logs, maybe there is an obvious, simple error. Please tell me if you are missing some informations or if I should perform some more tests. It's very unlikely that I might have found a bug, but if an experienced user thinks that this might be the case, please tell that, too. If the described behaviour is the expected behaviour, please inform me what I got wrong. I have read all docs that I have found and tried to understand them. Anyhow, I'm quite a newby, so the problem could be caused by anything from a typo, up to a lack of basical understanding. I gave my best to solute that case, but I'm really stuck here. Any help is appreciated, even RTFM or STFW. But please tell me the ressources, too 'cause I have tried searching already. If you see some security issues that I have overlooked, please feel free to tell me. The goal is an as-secure-as possible server, without chrooting apache. If one application gets compromised, the intruder should not be able to affect other applications. Thank you in advance for taking your time! Johannes ************************************************************************************************************** My vhost config: mybox:/# cat /etc/apache2/sites-available/default #vhost1: running fine as user borki (php scripts) NameVirtualHost *:80 ServerAdmin support@XXX.org SuexecUserGroup borki borki DocumentRoot /var/www/borki/htdocs Options -Indexes +FollowSymLinks +MultiViews +ExecCGI AddHandler fcgid-script .php FCGIWrapper /var/www/borki/conf/php5-fcgid-htdocs .php AllowOverride None Order allow,deny allow from all ErrorLog /var/log/apache2/borki.error.log LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature Off # vhost2: running fine as user mapserver, has webgis group rights (cgi, no php) NameVirtualHost *:81 ServerAdmin support@XXX.org SuexecUserGroup mapserver webgis DocumentRoot /var/www/mapserver AllowOverride None SetHandler fcgid-script Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog /var/log/apache2/mapserver.error.log LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature Off #vhost3 is not running, should be the same as vhost1, but with user mbweb NameVirtualHost *:82 ServerAdmin support@XXX.org SuexecUserGroup mbweb mbweb #PLEASE NOTE THE USER CONFIGURED HERE DocumentRoot /var/www/mapbender/http Options +ExecCGI +MultiViews +FollowSymLinks -Indexes AddHandler fcgid-script .php FCGIWrapper /var/www/mapbender/conf/php5-fcgid-htdocs .php AllowOverride None Order allow,deny Allow from all ErrorLog /var/log/apache2/mapbender.error.log LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature Off ************************************************************************************************************** File permissions: mybox:/# ls -al /var/www insgesamt 20 drwxr-xr-x 5 root root 4096 2008-08-16 15:58 . drwxr-xr-x 14 root root 4096 2008-07-30 09:41 .. drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 borki drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 mapbender dr-xr-xr-x 2 mapserver webgis 4096 2008-08-22 09:45 mapserver mybox:/# ls -al /var/www/borki/ insgesamt 24 drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 . drwxr-xr-x 5 root root 4096 2008-08-16 15:58 .. dr-xr-x--- 2 borki borki 4096 2008-08-21 10:10 conf drwxr-x--- 6 sysadmin borki 4096 2008-08-22 09:44 htdocs drwxrwx--- 2 sysadmin borki 4096 2008-08-06 15:00 log drwxr-x--- 4 sysadmin webgis 4096 2008-08-07 12:24 mapfile mybox:/# ls -al /var/www/borki/conf/ insgesamt 56 dr-xr-x--- 2 borki borki 4096 2008-08-21 10:10 . drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 .. -r-xr-x--- 1 borki borki 105 2008-08-21 10:10 php5-fcgid-htdocs -rw-r--r-- 1 root root 42286 2008-08-21 10:01 php.ini mybox:/# ls -al /var/www/borki/htdocs/ insgesamt 32 drwxr-x--- 6 sysadmin borki 4096 2008-08-22 09:44 . drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 .. drwxr-x--- 2 sysadmin borki 4096 2008-08-07 13:17 css drwxr-x--- 7 sysadmin borki 4096 2008-08-12 16:47 img drwxrwx--- 2 borki borki 12288 2008-08-22 09:45 tmp drwxr-x--- 2 sysadmin borki 4096 2008-08-21 15:07 www mybox:/# ls -al /var/www/borki/htdocs/www/ insgesamt 320 drwxr-x--- 2 sysadmin borki 4096 2008-08-21 15:07 . drwxr-x--- 6 sysadmin borki 4096 2008-08-22 09:44 .. -rw-r----- 1 sysadmin borki 14195 2008-08-21 15:06 index.php [...] mybox:/# ls -al /var/www/mapserver/ insgesamt 4196 dr-xr-xr-x 2 mapserver webgis 4096 2008-08-22 09:45 . drwxr-xr-x 5 root root 4096 2008-08-16 15:58 .. -r-x------ 1 mapserver webgis 4269751 2008-08-05 10:24 mapserv -r-x------ 1 mapserver webgis 128 2008-08-21 15:10 whoami.cgi mybox:/# ls -al /var/www/mapbender/ insgesamt 80 drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 . drwxr-xr-x 5 root root 4096 2008-08-16 15:58 .. dr-xr-x--- 2 mbweb mbweb 4096 2008-08-21 10:16 conf drwxr-x--- 14 sysadmin mbweb 4096 2008-08-22 10:40 http drwxrwx--- 2 sysadmin mbweb 4096 2008-07-11 17:43 log [...] mybox:/# ls -al /var/www/mapbender/conf/ insgesamt 88 dr-xr-x--- 2 mbweb mbweb 4096 2008-08-21 10:16 . drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 .. -r-xr-x--- 1 mbweb mbweb 79 2008-08-21 10:16 php5-fcgid-htdocs -rw-r--r-- 1 root root 42286 2008-08-21 10:13 php.ini [...] mybox:/# ls -al /var/www/mapbender/http/ insgesamt 72 drwxr-x--- 14 sysadmin mbweb 4096 2008-08-22 10:40 . drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 .. drwxr-x--- 2 sysadmin mbweb 4096 2008-07-11 17:43 css drwxr-x--- 14 sysadmin mbweb 4096 2008-07-11 17:43 img -rw-r----- 1 sysadmin mbweb 5 2008-08-20 13:47 test.htm -rw-r----- 1 sysadmin mbweb 37 2008-08-22 09:52 test.php drwxr-x--- 2 sysadmin mbweb 4096 2008-07-11 17:43 tmp ************************************************************************************************************** The php wrappers for vhost1 and vhost3: mybox:/# cat /var/www/borki/conf/php5-fcgid-htdocs #!/bin/sh #PHPRC="/etc/php5/cgi/borki/" PHPRC="/var/www/borki/conf/" export PHPRC exec /usr/bin/php5-cgi mybox:/# cat /var/www/mapbender/conf/php5-fcgid-htdocs #!/bin/sh PHPRC="/var/www/mapbender/conf/" export PHPRC exec /usr/bin/php5-cgi ************************************************************************************************************** The users: mybox:/# cat /etc/group [...] wheel:x:1001:root,someuser remote:x:1002:someuser sysadmin:x:1003: borki:x:1004:www-data mapserver:x:1005: webgis:x:1006:borki,mbweb mbweb:x:1007:www-data ************************************************************************************************************** What works: http://10.42.1.27/www/ -> running fine as user borki http://10.42.1.27:81/whoami.cgi -> running fine as user mapserver (I verified that using whoami.php/cgi scripts) http://10.42.1.27:82/test.htm -> shows my html (That shows that I'm on the correct server in the correct directory) ************************************************************************************************************** The problem and the corresponding logs: http://10.42.1.27:82/test.htm -> Does NOT run (Apache on Browser: Service Temporarily unavailable) suexec.log: [2008-08-22 11:17:11]: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php //1004 IS BORKI BUT I WOULD EXPECT MBWEB(1007)// [2008-08-22 11:17:11]: target uid/gid (1004/1007) mismatch with directory (1001/1007) or program (1001/1007) main.error.log (configured in apache2.conf) suexec policy violation: see suexec log for more details [Fri Aug 22 11:17:45 2008] [notice] mod_fcgid: server /var/www/mapbender/http/test.php(21037) started [Fri Aug 22 11:17:45 2008] [notice] mod_fcgid: process /var/www/mapbender/http/test.php(21036) exit(server exited), terminated by calling exit(), return code: 120 mapbender.error.log: [Fri Aug 22 11:19:43 2008] [warn] mod_fcgid: can't apply process slot for /var/www/mapbender/http/test.php - Please ignore the timestamps, I reloaded the site multiple times to get the logs - ************************************************************************************************************** Additional infos and tests, partly performed during a discussion in #apache on freenode: When I call vhost1 (working fine as borki) suexec.log states: [2008-08-22 13:15:11]: uid: (1002/borki) gid: (1004/1004) cmd: php5-fcgid-htdocs //1002 IS REMOTE I WOULD EXPECT BORKI (1004)// Note that a whois.php prints out user borki When I call vhost2 suexec.log states the following: [2008-08-22 14:19:53]: uid: (1003/mapserver) gid: (1006/1006) cmd: mapserv //1003 IS SYSADMIN, I WOULD EXPECT MAPSERVER (1005)// Note that a whois.cgi prints out user mapserver me: can you set mweb:mweb on test.php ? me: for testing... test.pht, ../http and ../../mapbender have owner mbweb now. suexec.log states: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php. file has no execute permission. //1004 IS BORKI, I WOULD EXPECT MBWEB (1007)// test.php is now 750 mbweb.mbweb. suexec.log: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php //1004 IS BORKI, I WOULD EXPECT MBWEB (1007)// main.error.log (apache): suexec failure: could not open log file fopen: Permission denied (test.php is just a simple echo, without any fopen). mapbender.error.log (application test.php): [warn] mod_fcgid: can't apply process slot for /var/www/mapbender/http/test.php -- makrohard Sorry for the following free-mailer signature ;) -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org