• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 512
  • Last Modified:

Apache with Suexec : simple cgi works, php scripts do not.

I have a problem setting up suexec with some php files.

I'm reinstalling a server wich worked fine for 3 years, unfortunately it was hacked (T0rkit) and I'm managing to reinstall everything.

Linux redhat 7.2
Kernel : 2.4.28
Apache : 1.3.33
Php : 4.3.10

What I want to do :

Use suexec only on ".sphp" scripts with are allowed to write on disks, .php scripts are not wrapped via suexec (as it worked before)

with php : no problem
http://www.team-project.net/test.php

with sphp (same code, just the sphp extension):-(
http://www.team-project.net/test.sphp

I just can't see why it worked before (php 1.3.26 / php 4.2.2) and why a get an "internal serveur error" for every .sphp script.

Lets get into details :

APACHE
#######################
/usr/local/apache/bin/httpd -l

Compiled-in modules:
  http_core.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_access.c
  mod_auth.c
  mod_so.c
  mod_setenvif.c
  mod_ssl.c
  mod_php4.c
  mod_gzip.c
suexec: enabled; valid wrapper /usr/local/apache/bin/suexec

Ok suexec is installed with php,v let's move on with suexec config :

/usr/local/apache/bin/httpd/suexec -V

 -D DOC_ROOT="/home"
 -D GID_MIN=99
 -D HTTPD_USER="nobody"
 -D LOG_EXEC="/usr/local/apache/logs/cgi.log"
 -D SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D UID_MIN=99
 -D USERDIR_SUFFIX="www"

Ok no problem so far, all my web sites are underneath /home and all uid/gid are greater than 99, it seems all the requirements requested by suexec to works are fine : http://apache-server.com/tutorials/LPsuexec.html ("Requirements For suexec Operation" paragraph)

I've added this on my httpd.conf and restarted Apache

AddHandler cgi-script .sphp

A sample vhost :

<VirtualHost 213.186.34.46>
ServerAdmin webmaster@team-project.net
DocumentRoot /home/fft/team-project/www
User fft
Group fft
ServerName www.team-project.net
CustomLog /home/log/apache/team-project.log combined
ScriptAlias /cgi-bin/ /home/fft/team-project/cgi-bin/
</VirtualHost>

#######################

Now let's test with a shell script processed as a CGI :
http://www.team-project.net/showuser.cgi

it works fine and shows the user that suexex is using to process the CGI.

the script is as follow and chmoded 755 :

#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Username="`whoami`

OK it seems to works fine with non php scripts :-/

#######################

Now let's try again our php script

When i click
http://www.team-project.net/test.sphp

the log (/usr/local/apache/logs/cgi.log) reads :
error: file has no execute permission: (/home/fft/team-project/www/test.sphp)

Ok no problem I do "chmod 755 /home/fft/team-project/www/test.sphp" and re-test (but weird, because I did not have this kind of error before...)

info: (target/actual) uid: (fft/fft) gid: (fft/fft) cmd: test.sphp

Ok it seems now it has worked, but guess what :

it's still diplaying "Internal Server Error"...

I'm really get lost hear, and the dozens of links I read (not that much information though...) does not help.

What I tried :

To recompile PHP using --enable-force-cgi-redirect on the command line ( I dit a "make clean" before)
An used another method from the 13-Jun-2004 05:26 message from this page : http://fr2.php.net/security.cgi-bin but with NO result (same error) :

Can you help me please ?

Thanks.
0
FFT
Asked:
FFT
  • 3
  • 2
1 Solution
 
FFTAuthor Commented:
I'm replying to myself, it appears that the new version of suexec does not support any more to execute sphp files as CGI, so I assume the question will not gain any answers ! Thanks for reading... ,;-)
0
 
ahoffmannCommented:
> ..  suexec does not support any more to execute sphp files as CGI ..
suexec does not know anything about the extension, nor the content of the file
so need to explain why that should be

I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550
Then enshure that the owner of the script is that user you configured for suexec, and that the GID matches suexec's condition (>99)
0
 
FFTAuthor Commented:
> suexec does not know anything about the extension, nor the content of the file
> so need to explain why that should be

can't tell why, it appears that if use the old suexec binary (3 years old...), it gives some more result without changing the httpd.conf so I guess it is because php scripts can't be used this way (I either tried to compile it with --enable-force-cgi-redirect feature without any success)

> I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550

It does not work more with chmod 550

> Then enshure that the owner of the script is that user you configured for suexec...

What do you mean by this, I understood that suexec main purpose was to use the owner of the file to execute the code instead of the owner of apache, so why the owner should have the same uid/gid as suexec ? this is not very logical or I misunderstand you...

> and that the GID matches suexec's condition (>99)
Yes
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ahoffmannCommented:
can you please post result of
  suexec --layout
and your apache (httpd) is running as user nobody?
or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model
0
 
FFTAuthor Commented:
/usr/local/apache/bin/suexec --layout gives nothing

only this works (already posted before)

/usr/local/apache/bin/suexec -V

 -D DOC_ROOT="/home"
 -D GID_MIN=99
 -D HTTPD_USER="nobody"
 -D LOG_EXEC="/usr/local/apache/logs/cgi.log"
 -D SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D UID_MIN=99
 -D USERDIR_SUFFIX="www"

> and your apache (httpd) is running as user nobody

YES, already posted....

> or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model

YES... since, already tested. suexec is working fine with cgi, I guess the problem is on the php side...

Thanks






0
 
DarthModCommented:
Submitted to PAQ with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now