FFT
asked on
Apache with Suexec : simple cgi works, php scripts do not.
I have a problem setting up suexec with some php files.
I'm reinstalling a server wich worked fine for 3 years, unfortunately it was hacked (T0rkit) and I'm managing to reinstall everything.
Linux redhat 7.2
Kernel : 2.4.28
Apache : 1.3.33
Php : 4.3.10
What I want to do :
Use suexec only on ".sphp" scripts with are allowed to write on disks, .php scripts are not wrapped via suexec (as it worked before)
with php : no problem
http://www.team-project.net/test.php
with sphp (same code, just the sphp extension):-(
http://www.team-project.net/test.sphp
I just can't see why it worked before (php 1.3.26 / php 4.2.2) and why a get an "internal serveur error" for every .sphp script.
Lets get into details :
APACHE
#######################
/usr/local/apache/bin/http
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_rewrite.c
mod_access.c
mod_auth.c
mod_so.c
mod_setenvif.c
mod_ssl.c
mod_php4.c
mod_gzip.c
suexec: enabled; valid wrapper /usr/local/apache/bin/suex
Ok suexec is installed with php,v let's move on with suexec config :
/usr/local/apache/bin/http
-D DOC_ROOT="/home"
-D GID_MIN=99
-D HTTPD_USER="nobody"
-D LOG_EXEC="/usr/local/apach
-D SAFE_PATH="/usr/local/bin:
-D UID_MIN=99
-D USERDIR_SUFFIX="www"
Ok no problem so far, all my web sites are underneath /home and all uid/gid are greater than 99, it seems all the requirements requested by suexec to works are fine : http://apache-server.com/tutorials/LPsuexec.html ("Requirements For suexec Operation" paragraph)
I've added this on my httpd.conf and restarted Apache
AddHandler cgi-script .sphp
A sample vhost :
<VirtualHost 213.186.34.46>
ServerAdmin webmaster@team-project.net
DocumentRoot /home/fft/team-project/www
User fft
Group fft
ServerName www.team-project.net
CustomLog /home/log/apache/team-proj
ScriptAlias /cgi-bin/ /home/fft/team-project/cgi
</VirtualHost>
#######################
Now let's test with a shell script processed as a CGI :
http://www.team-project.net/showuser.cgi
it works fine and shows the user that suexex is using to process the CGI.
the script is as follow and chmoded 755 :
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Username="`whoami`
OK it seems to works fine with non php scripts :-/
#######################
Now let's try again our php script
When i click
http://www.team-project.net/test.sphp
the log (/usr/local/apache/logs/cg
error: file has no execute permission: (/home/fft/team-project/ww
Ok no problem I do "chmod 755 /home/fft/team-project/www
info: (target/actual) uid: (fft/fft) gid: (fft/fft) cmd: test.sphp
Ok it seems now it has worked, but guess what :
it's still diplaying "Internal Server Error"...
I'm really get lost hear, and the dozens of links I read (not that much information though...) does not help.
What I tried :
To recompile PHP using --enable-force-cgi-redirec
An used another method from the 13-Jun-2004 05:26 message from this page : http://fr2.php.net/security.cgi-bin but with NO result (same error) :
Can you help me please ?
Thanks.
I'm reinstalling a server wich worked fine for 3 years, unfortunately it was hacked (T0rkit) and I'm managing to reinstall everything.
Linux redhat 7.2
Kernel : 2.4.28
Apache : 1.3.33
Php : 4.3.10
What I want to do :
Use suexec only on ".sphp" scripts with are allowed to write on disks, .php scripts are not wrapped via suexec (as it worked before)
with php : no problem
http://www.team-project.net/test.php
with sphp (same code, just the sphp extension):-(
http://www.team-project.net/test.sphp
I just can't see why it worked before (php 1.3.26 / php 4.2.2) and why a get an "internal serveur error" for every .sphp script.
Lets get into details :
APACHE
#######################
/usr/local/apache/bin/http
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_rewrite.c
mod_access.c
mod_auth.c
mod_so.c
mod_setenvif.c
mod_ssl.c
mod_php4.c
mod_gzip.c
suexec: enabled; valid wrapper /usr/local/apache/bin/suex
Ok suexec is installed with php,v let's move on with suexec config :
/usr/local/apache/bin/http
-D DOC_ROOT="/home"
-D GID_MIN=99
-D HTTPD_USER="nobody"
-D LOG_EXEC="/usr/local/apach
-D SAFE_PATH="/usr/local/bin:
-D UID_MIN=99
-D USERDIR_SUFFIX="www"
Ok no problem so far, all my web sites are underneath /home and all uid/gid are greater than 99, it seems all the requirements requested by suexec to works are fine : http://apache-server.com/tutorials/LPsuexec.html ("Requirements For suexec Operation" paragraph)
I've added this on my httpd.conf and restarted Apache
AddHandler cgi-script .sphp
A sample vhost :
<VirtualHost 213.186.34.46>
ServerAdmin webmaster@team-project.net
DocumentRoot /home/fft/team-project/www
User fft
Group fft
ServerName www.team-project.net
CustomLog /home/log/apache/team-proj
ScriptAlias /cgi-bin/ /home/fft/team-project/cgi
</VirtualHost>
#######################
Now let's test with a shell script processed as a CGI :
http://www.team-project.net/showuser.cgi
it works fine and shows the user that suexex is using to process the CGI.
the script is as follow and chmoded 755 :
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Username="`whoami`
OK it seems to works fine with non php scripts :-/
#######################
Now let's try again our php script
When i click
http://www.team-project.net/test.sphp
the log (/usr/local/apache/logs/cg
error: file has no execute permission: (/home/fft/team-project/ww
Ok no problem I do "chmod 755 /home/fft/team-project/www
info: (target/actual) uid: (fft/fft) gid: (fft/fft) cmd: test.sphp
Ok it seems now it has worked, but guess what :
it's still diplaying "Internal Server Error"...
I'm really get lost hear, and the dozens of links I read (not that much information though...) does not help.
What I tried :
To recompile PHP using --enable-force-cgi-redirec
An used another method from the 13-Jun-2004 05:26 message from this page : http://fr2.php.net/security.cgi-bin but with NO result (same error) :
Can you help me please ?
Thanks.
> .. suexec does not support any more to execute sphp files as CGI ..
suexec does not know anything about the extension, nor the content of the file
so need to explain why that should be
I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550
Then enshure that the owner of the script is that user you configured for suexec, and that the GID matches suexec's condition (>99)
suexec does not know anything about the extension, nor the content of the file
so need to explain why that should be
I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550
Then enshure that the owner of the script is that user you configured for suexec, and that the GID matches suexec's condition (>99)
ASKER
> suexec does not know anything about the extension, nor the content of the file
> so need to explain why that should be
can't tell why, it appears that if use the old suexec binary (3 years old...), it gives some more result without changing the httpd.conf so I guess it is because php scripts can't be used this way (I either tried to compile it with --enable-force-cgi-redirec
> I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550
It does not work more with chmod 550
> Then enshure that the owner of the script is that user you configured for suexec...
What do you mean by this, I understood that suexec main purpose was to use the owner of the file to execute the code instead of the owner of apache, so why the owner should have the same uid/gid as suexec ? this is not very logical or I misunderstand you...
> and that the GID matches suexec's condition (>99)
Yes
> so need to explain why that should be
can't tell why, it appears that if use the old suexec binary (3 years old...), it gives some more result without changing the httpd.conf so I guess it is because php scripts can't be used this way (I either tried to compile it with --enable-force-cgi-redirec
> I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550
It does not work more with chmod 550
> Then enshure that the owner of the script is that user you configured for suexec...
What do you mean by this, I understood that suexec main purpose was to use the owner of the file to execute the code instead of the owner of apache, so why the owner should have the same uid/gid as suexec ? this is not very logical or I misunderstand you...
> and that the GID matches suexec's condition (>99)
Yes
can you please post result of
suexec --layout
and your apache (httpd) is running as user nobody?
or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model
suexec --layout
and your apache (httpd) is running as user nobody?
or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model
ASKER
/usr/local/apache/bin/suex
only this works (already posted before)
/usr/local/apache/bin/suex
-D DOC_ROOT="/home"
-D GID_MIN=99
-D HTTPD_USER="nobody"
-D LOG_EXEC="/usr/local/apach
-D SAFE_PATH="/usr/local/bin:
-D UID_MIN=99
-D USERDIR_SUFFIX="www"
> and your apache (httpd) is running as user nobody
YES, already posted....
> or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model
YES... since, already tested. suexec is working fine with cgi, I guess the problem is on the php side...
Thanks
only this works (already posted before)
/usr/local/apache/bin/suex
-D DOC_ROOT="/home"
-D GID_MIN=99
-D HTTPD_USER="nobody"
-D LOG_EXEC="/usr/local/apach
-D SAFE_PATH="/usr/local/bin:
-D UID_MIN=99
-D USERDIR_SUFFIX="www"
> and your apache (httpd) is running as user nobody
YES, already posted....
> or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model
YES... since, already tested. suexec is working fine with cgi, I guess the problem is on the php side...
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER