Hello List.
I'm trying to set up multiple web-applications on a debian etch operating
system using apache2 in combination with mod_fcgid and suexec. The versions are
the ones contained in the up-to-date debian etch distribution. I used apt to
install all components.
Each application (=vhost) should run under a distinct user. The apache user and
script users should have read-only access to the files. The script users
(borki, mapserver and mapbender) have no homedir and no shell for security
reasons. The user 'sysadmin' which is not used by any script is the human admin
that may log in via ssh and maintain the application. He should be the only one
with write permissions.
The vhost on Port 80 is running some php scripts, that's working fine (but
suexec.log shows an unexpected uid. A whois.php shows the expected user like
defined in the vhost section). Port 81 executes a cgi Programm without
problems, too (81 executes no php, for that it has no wrapper, a vhost.cgi
shows the correct user, suexec.log shows an unexpected uid, again). The problem
lies in the vhost on Port 82. This one should be configured identically to the
80 vhost, to run php scripts.
Here I came over a weird problem. suexec states users that do not appear in my
config files. I tried playing around with permissions and SuexecUserGroup's,
without success so long.
It would be great if someone could have a look at my configuration and logs,
maybe there is an obvious, simple error. Please tell me if you are missing some
informations or if I should perform some more tests. It's very unlikely that I
might have found a bug, but if an experienced user thinks that this might be
the case, please tell that, too. If the described behaviour is the expected
behaviour, please inform me what I got wrong.
I have read all docs that I have found and tried to understand them. Anyhow,
I'm quite a newby, so the problem could be caused by anything from a typo, up
to a lack of basical understanding. I gave my best to solute that case, but I'm
really stuck here. Any help is appreciated, even RTFM or STFW. But please tell
me the ressources, too 'cause I have tried searching already. If you see some
security issues that I have overlooked, please feel free to tell me. The goal
is an as-secure-as possible server, without chrooting apache. If one
application gets compromised, the intruder should not be able to affect other
applications.
Thank you in advance for taking your time!
Johannes
**************************************************************************************************************
My vhost config:
mybox:/# cat /etc/apache2/sites-available/default
#vhost1: running fine as user borki (php scripts)
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin [EMAIL PROTECTED]
SuexecUserGroup borki borki
DocumentRoot /var/www/borki/htdocs
<Directory /var/www/borki/htdocs>
Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /var/www/borki/conf/php5-fcgid-htdocs .php
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/borki.error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature Off
</VirtualHost>
# vhost2: running fine as user mapserver, has webgis group rights (cgi, no php)
NameVirtualHost *:81
<VirtualHost *:81>
ServerAdmin [EMAIL PROTECTED]
SuexecUserGroup mapserver webgis
DocumentRoot /var/www/mapserver
<Directory /var/www/mapserver>
AllowOverride None
SetHandler fcgid-script
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/mapserver.error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature Off
</VirtualHost>
#vhost3 is not running, should be the same as vhost1, but with user mbweb
NameVirtualHost *:82
<VirtualHost *:82>
ServerAdmin [EMAIL PROTECTED]
SuexecUserGroup mbweb mbweb #PLEASE NOTE THE USER CONFIGURED HERE
DocumentRoot /var/www/mapbender/http
<Directory /var/www/mapserver/http>
Options +ExecCGI +MultiViews +FollowSymLinks -Indexes
AddHandler fcgid-script .php
FCGIWrapper /var/www/mapbender/conf/php5-fcgid-htdocs .php
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/mapbender.error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature Off
</VirtualHost>
**************************************************************************************************************
File permissions:
mybox:/# ls -al /var/www
insgesamt 20
drwxr-xr-x 5 root root 4096 2008-08-16 15:58 .
drwxr-xr-x 14 root root 4096 2008-07-30 09:41 ..
drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 borki
drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 mapbender
dr-xr-xr-x 2 mapserver webgis 4096 2008-08-22 09:45 mapserver
mybox:/# ls -al /var/www/borki/
insgesamt 24
drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 .
drwxr-xr-x 5 root root 4096 2008-08-16 15:58 ..
dr-xr-x--- 2 borki borki 4096 2008-08-21 10:10 conf
drwxr-x--- 6 sysadmin borki 4096 2008-08-22 09:44 htdocs
drwxrwx--- 2 sysadmin borki 4096 2008-08-06 15:00 log
drwxr-x--- 4 sysadmin webgis 4096 2008-08-07 12:24 mapfile
mybox:/# ls -al /var/www/borki/conf/
insgesamt 56
dr-xr-x--- 2 borki borki 4096 2008-08-21 10:10 .
drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 ..
-r-xr-x--- 1 borki borki 105 2008-08-21 10:10 php5-fcgid-htdocs
-rw-r--r-- 1 root root 42286 2008-08-21 10:01 php.ini
mybox:/# ls -al /var/www/borki/htdocs/
insgesamt 32
drwxr-x--- 6 sysadmin borki 4096 2008-08-22 09:44 .
drwxr-x--x 6 sysadmin borki 4096 2008-08-12 16:09 ..
drwxr-x--- 2 sysadmin borki 4096 2008-08-07 13:17 css
drwxr-x--- 7 sysadmin borki 4096 2008-08-12 16:47 img
drwxrwx--- 2 borki borki 12288 2008-08-22 09:45 tmp
drwxr-x--- 2 sysadmin borki 4096 2008-08-21 15:07 www
mybox:/# ls -al /var/www/borki/htdocs/www/
insgesamt 320
drwxr-x--- 2 sysadmin borki 4096 2008-08-21 15:07 .
drwxr-x--- 6 sysadmin borki 4096 2008-08-22 09:44 ..
-rw-r----- 1 sysadmin borki 14195 2008-08-21 15:06 index.php
[...]
mybox:/# ls -al /var/www/mapserver/
insgesamt 4196
dr-xr-xr-x 2 mapserver webgis 4096 2008-08-22 09:45 .
drwxr-xr-x 5 root root 4096 2008-08-16 15:58 ..
-r-x------ 1 mapserver webgis 4269751 2008-08-05 10:24 mapserv
-r-x------ 1 mapserver webgis 128 2008-08-21 15:10 whoami.cgi
mybox:/# ls -al /var/www/mapbender/
insgesamt 80
drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 .
drwxr-xr-x 5 root root 4096 2008-08-16 15:58 ..
dr-xr-x--- 2 mbweb mbweb 4096 2008-08-21 10:16 conf
drwxr-x--- 14 sysadmin mbweb 4096 2008-08-22 10:40 http
drwxrwx--- 2 sysadmin mbweb 4096 2008-07-11 17:43 log
[...]
mybox:/# ls -al /var/www/mapbender/conf/
insgesamt 88
dr-xr-x--- 2 mbweb mbweb 4096 2008-08-21 10:16 .
drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 ..
-r-xr-x--- 1 mbweb mbweb 79 2008-08-21 10:16 php5-fcgid-htdocs
-rw-r--r-- 1 root root 42286 2008-08-21 10:13 php.ini
[...]
mybox:/# ls -al /var/www/mapbender/http/
insgesamt 72
drwxr-x--- 14 sysadmin mbweb 4096 2008-08-22 10:40 .
drwxr-x--x 11 sysadmin mbweb 4096 2008-08-20 13:48 ..
drwxr-x--- 2 sysadmin mbweb 4096 2008-07-11 17:43 css
drwxr-x--- 14 sysadmin mbweb 4096 2008-07-11 17:43 img
-rw-r----- 1 sysadmin mbweb 5 2008-08-20 13:47 test.htm
-rw-r----- 1 sysadmin mbweb 37 2008-08-22 09:52 test.php
drwxr-x--- 2 sysadmin mbweb 4096 2008-07-11 17:43 tmp
**************************************************************************************************************
The php wrappers for vhost1 and vhost3:
mybox:/# cat /var/www/borki/conf/php5-fcgid-htdocs
#!/bin/sh
#PHPRC="/etc/php5/cgi/borki/"
PHPRC="/var/www/borki/conf/"
export PHPRC
exec /usr/bin/php5-cgi
mybox:/# cat /var/www/mapbender/conf/php5-fcgid-htdocs
#!/bin/sh
PHPRC="/var/www/mapbender/conf/"
export PHPRC
exec /usr/bin/php5-cgi
**************************************************************************************************************
The users:
mybox:/# cat /etc/group
[...]
wheel:x:1001:root,someuser
remote:x:1002:someuser
sysadmin:x:1003:
borki:x:1004:www-data
mapserver:x:1005:
webgis:x:1006:borki,mbweb
mbweb:x:1007:www-data
**************************************************************************************************************
What works:
http://10.42.1.27/www/ -> running fine as user borki
http://10.42.1.27:81/whoami.cgi -> running fine as user mapserver
(I verified that using whoami.php/cgi scripts)
http://10.42.1.27:82/test.htm -> shows my html (That shows that I'm on the
correct server in the correct directory)
**************************************************************************************************************
The problem and the corresponding logs:
http://10.42.1.27:82/test.htm -> Does NOT run (Apache on Browser: Service
Temporarily unavailable)
suexec.log:
[2008-08-22 11:17:11]: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php //1004
IS BORKI BUT I WOULD EXPECT MBWEB(1007)//
[2008-08-22 11:17:11]: target uid/gid (1004/1007) mismatch with directory
(1001/1007) or program (1001/1007)
main.error.log (configured in apache2.conf)
suexec policy violation: see suexec log for more details
[Fri Aug 22 11:17:45 2008] [notice] mod_fcgid: server
/var/www/mapbender/http/test.php(21037) started
[Fri Aug 22 11:17:45 2008] [notice] mod_fcgid: process
/var/www/mapbender/http/test.php(21036) exit(server exited), terminated by
calling exit(), return code: 120
mapbender.error.log:
[Fri Aug 22 11:19:43 2008] [warn] mod_fcgid: can't apply process slot for
/var/www/mapbender/http/test.php
- Please ignore the timestamps, I reloaded the site multiple times to get the
logs -
**************************************************************************************************************
Additional infos and tests, partly performed during a discussion in #apache on
freenode:
When I call vhost1 (working fine as borki) suexec.log states:
[2008-08-22 13:15:11]: uid: (1002/borki) gid: (1004/1004) cmd:
php5-fcgid-htdocs //1002 IS REMOTE I WOULD EXPECT BORKI (1004)// Note that a
whois.php prints out user borki
When I call vhost2 suexec.log states the following:
[2008-08-22 14:19:53]: uid: (1003/mapserver) gid: (1006/1006) cmd: mapserv
//1003 IS SYSADMIN, I WOULD EXPECT MAPSERVER (1005)// Note that a whois.cgi
prints out user mapserver
<helper> me: can you set mweb:mweb on test.php ?
<helper> me: for testing...
<me> test.pht, ../http and ../../mapbender have owner mbweb now.
suexec.log states: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php. file has
no execute permission. //1004 IS BORKI, I WOULD EXPECT MBWEB (1007)//
<me> test.php is now 750 mbweb.mbweb.
suexec.log: uid: (1004/mbweb) gid: (1007/1007) cmd: test.php //1004 IS BORKI, I
WOULD EXPECT MBWEB (1007)//
main.error.log (apache): suexec failure: could not open log file
fopen: Permission denied (test.php is just a simple echo, without any fopen).
mapbender.error.log (application test.php): [warn] mod_fcgid: can't apply
process slot for /var/www/mapbender/http/test.php
--
makrohard
Sorry for the following free-mailer signature ;)
--
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
