?
Solved

Apache with Suexec : simple cgi works, php scripts do not.

Posted on 2005-03-14
7
Medium Priority
?
508 Views
Last Modified: 2013-11-18
I have a problem setting up suexec with some php files.

I'm reinstalling a server wich worked fine for 3 years, unfortunately it was hacked (T0rkit) and I'm managing to reinstall everything.

Linux redhat 7.2
Kernel : 2.4.28
Apache : 1.3.33
Php : 4.3.10

What I want to do :

Use suexec only on ".sphp" scripts with are allowed to write on disks, .php scripts are not wrapped via suexec (as it worked before)

with php : no problem
http://www.team-project.net/test.php

with sphp (same code, just the sphp extension):-(
http://www.team-project.net/test.sphp

I just can't see why it worked before (php 1.3.26 / php 4.2.2) and why a get an "internal serveur error" for every .sphp script.

Lets get into details :

APACHE
#######################
/usr/local/apache/bin/httpd -l

Compiled-in modules:
  http_core.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_access.c
  mod_auth.c
  mod_so.c
  mod_setenvif.c
  mod_ssl.c
  mod_php4.c
  mod_gzip.c
suexec: enabled; valid wrapper /usr/local/apache/bin/suexec

Ok suexec is installed with php,v let's move on with suexec config :

/usr/local/apache/bin/httpd/suexec -V

 -D DOC_ROOT="/home"
 -D GID_MIN=99
 -D HTTPD_USER="nobody"
 -D LOG_EXEC="/usr/local/apache/logs/cgi.log"
 -D SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D UID_MIN=99
 -D USERDIR_SUFFIX="www"

Ok no problem so far, all my web sites are underneath /home and all uid/gid are greater than 99, it seems all the requirements requested by suexec to works are fine : http://apache-server.com/tutorials/LPsuexec.html ("Requirements For suexec Operation" paragraph)

I've added this on my httpd.conf and restarted Apache

AddHandler cgi-script .sphp

A sample vhost :

<VirtualHost 213.186.34.46>
ServerAdmin webmaster@team-project.net
DocumentRoot /home/fft/team-project/www
User fft
Group fft
ServerName www.team-project.net
CustomLog /home/log/apache/team-project.log combined
ScriptAlias /cgi-bin/ /home/fft/team-project/cgi-bin/
</VirtualHost>

#######################

Now let's test with a shell script processed as a CGI :
http://www.team-project.net/showuser.cgi

it works fine and shows the user that suexex is using to process the CGI.

the script is as follow and chmoded 755 :

#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Username="`whoami`

OK it seems to works fine with non php scripts :-/

#######################

Now let's try again our php script

When i click
http://www.team-project.net/test.sphp

the log (/usr/local/apache/logs/cgi.log) reads :
error: file has no execute permission: (/home/fft/team-project/www/test.sphp)

Ok no problem I do "chmod 755 /home/fft/team-project/www/test.sphp" and re-test (but weird, because I did not have this kind of error before...)

info: (target/actual) uid: (fft/fft) gid: (fft/fft) cmd: test.sphp

Ok it seems now it has worked, but guess what :

it's still diplaying "Internal Server Error"...

I'm really get lost hear, and the dozens of links I read (not that much information though...) does not help.

What I tried :

To recompile PHP using --enable-force-cgi-redirect on the command line ( I dit a "make clean" before)
An used another method from the 13-Jun-2004 05:26 message from this page : http://fr2.php.net/security.cgi-bin but with NO result (same error) :

Can you help me please ?

Thanks.
0
Comment
Question by:FFT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 

Author Comment

by:FFT
ID: 13546071
I'm replying to myself, it appears that the new version of suexec does not support any more to execute sphp files as CGI, so I assume the question will not gain any answers ! Thanks for reading... ,;-)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13552803
> ..  suexec does not support any more to execute sphp files as CGI ..
suexec does not know anything about the extension, nor the content of the file
so need to explain why that should be

I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550
Then enshure that the owner of the script is that user you configured for suexec, and that the GID matches suexec's condition (>99)
0
 

Author Comment

by:FFT
ID: 13553105
> suexec does not know anything about the extension, nor the content of the file
> so need to explain why that should be

can't tell why, it appears that if use the old suexec binary (3 years old...), it gives some more result without changing the httpd.conf so I guess it is because php scripts can't be used this way (I either tried to compile it with --enable-force-cgi-redirect feature without any success)

> I guess that your tests.sphp is not executed 'cause of permission 7xx, set it to 550

It does not work more with chmod 550

> Then enshure that the owner of the script is that user you configured for suexec...

What do you mean by this, I understood that suexec main purpose was to use the owner of the file to execute the code instead of the owner of apache, so why the owner should have the same uid/gid as suexec ? this is not very logical or I misunderstand you...

> and that the GID matches suexec's condition (>99)
Yes
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 51

Expert Comment

by:ahoffmann
ID: 13553192
can you please post result of
  suexec --layout
and your apache (httpd) is running as user nobody?
or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model
0
 

Author Comment

by:FFT
ID: 13553292
/usr/local/apache/bin/suexec --layout gives nothing

only this works (already posted before)

/usr/local/apache/bin/suexec -V

 -D DOC_ROOT="/home"
 -D GID_MIN=99
 -D HTTPD_USER="nobody"
 -D LOG_EXEC="/usr/local/apache/logs/cgi.log"
 -D SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D UID_MIN=99
 -D USERDIR_SUFFIX="www"

> and your apache (httpd) is running as user nobody

YES, already posted....

> or better, have you checked all this: http://httpd.apache.org/docs/suexec.html#model

YES... since, already tested. suexec is working fine with cgi, I guess the problem is on the php side...

Thanks






0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 13772328
Submitted to PAQ with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of the Sass, which is a CSS extension language. You will learn about variables, mixins, and nesting.
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question