Convert PHP sites to use mod_fcgid with suEXEC

87 posts / 0 new
Last post
Fri, 05/29/2009 - 09:09
interknighterrant

suexec.log is still completely empty. Not a single byte.

Permissions:
~/fcgi-bin - 0755
~/fcgi-bin/php5.fcgi - 0755
~/etc/php5 - 0755
~/etc/php5/php.ini - 0755
~/public_html/test.php - 0644

All files are owned by the domain admin user.

Like anything else in linux, it is probably something really simple I am just overlooking. I'll go through from beginning to end and double check everything... maybe I missed something small.

Fri, 05/29/2009 - 09:30 (Reply to #52)
andreychek

Hmm... in looking over your working and non-working examples again, I started to wander....

Do you have SuexecUserGroup defined in the VirtualHost section?

For all my VirtualHost definitions, I have a line like:

[code:1]SuexecUserGroup "#500" "#600"[/code:1]

Where #500 is the uid, and #600 is the #gid, of the Virtual Server owner.
-Eric

Fri, 05/29/2009 - 10:27
interknighterrant

Ok, so the permissions, all the files, etc were perfect as is. I had to do two things:

1) add <i>SuexecUserGroup &quot;#1004&quot; &quot;#1004&quot;</i> (number will be different for each user and group) in the VirtualHost section. THANK YOU ERIC! I doubt I would have found that one for at least another week.

2) I had to add &quot;ExecCGI&quot; to the line <i>Options -Indexes IncludesNOEXEC FollowSymLinks</i>, in the <i>&lt;Directory /home/micahk/public_html&gt;</i> part of the VirtualHost section.

Thank you again Eric and Joe, I really appreciate your patience with me. It really is an easy process once you know what you are doing and know what to look for.

Tue, 07/21/2009 - 11:01 (Reply to #54)
cheetooh

Hi interknighterrant,

Did you managed to start and run your php as FastCGI with suexec? I am a noob and have tried to follow this post to configure but getting no where :(

Sat, 07/25/2009 - 14:52
davidksalazar

This thread is way too big follow. Anyone want to make this into one script and provide it to us? Please. hah

Sun, 07/26/2009 - 14:10
davidksalazar

Here is the script i came up with, works fine in debian 5 and ubuntu 8.04.

Setup LAMP Server Using Virtualmin

Wed, 08/19/2009 - 07:46
dean1979

I'm using mod_fcgid now, because a bug (i think). Is anyone knows how to make apache work again ? My problem is that when a client tries to upload file via http the file is created with apache:apache privs. With mod_fcgid there is no problem, but i want to use apache.

Wed, 08/19/2009 - 07:59 (Reply to #58)
andreychek

Yeah, you'd have to use either fcgid or cgi together with suexec in order to have the files created as the Virtual Server owner.

If you use mod_php, it'll create the files as apache:apache.

I'm not aware of a way to get the user permissions you want, along with mod_php.

Is there a reason mod_fcgid won't work for you?

-Eric

Wed, 08/19/2009 - 08:39
dean1979

I have some sites with free cms silverstripe, and they dont work with mod_fcgid... :/ Do you know how to get mod_cgi to work again ?

Wed, 08/19/2009 - 08:49 (Reply to #60)
andreychek

When you setup fcgid, you added these lines into your Apache config:

AddHandler fcgid-script .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php

To use CGI, you'd use something like this instead:

AddType application/x-httpd-php5 .php
Action application/x-httpd-php5 /cgi-bin/php5.cgi
Wed, 08/19/2009 - 09:20
dean1979

I'm sure i'm wrong somewhere, but... i donno where :/ I have installed a virtualmin on a testmachine and there the

AddType application/x-httpd-php5 .php Action application/x-httpd-php5 /cgi-bin/php5.cgi

was commented. I have run out of ideas. Any help is welcomed.

Sun, 08/30/2009 - 18:04
vmuser2k

i am a newbie and want to convert my existing site ( running as virtual host in Virtuamin GPL) to fcgid and suexec due to difference in FTP uplaod permissions issue.

In My existing site setup Cgi-bin is running under webroot ( cg-bin is part of application) and for that i have set the virtual host directive accordingly. i.e.

/home/domain/public_html/ ----> ( php scripts placed here) /home/domain/public_html/cgi-bin ---> ( other scripts placed here like perl etc)

MY quesiton is if i convert my existing site as per the instructions by Joe (https://www.virtualmin.com/node/8462#comment-35141) and create the directory /fcgi-bin , would my existing cgi-bin still work or do i need to copy my scripts from cgi-bin to fcgi-bin.?

woul appreciate any help on this....

Tue, 09/01/2009 - 22:12 (Reply to #63)
andreychek

Whether you use the name "cgi-bin", "fcgi-bin", or "boing-boing-yoink-foo" doesn't really matter -- it's largely just a convention.

If you already have directories named "cgi-bin", that's fine, just replace the name fcgi-bin anywhere Joe wrote that, with the "cgi-bin" name that you're already using.

-Eric

Tue, 01/05/2010 - 13:00 (Reply to #64)
jo

This directory is created for each virtual server, but you need the fcgi wrapper only once per user.

Sun, 10/04/2009 - 21:51
tpnsolutions
tpnsolutions's picture

Hey folks,

Just thought I'd drop a line in on this thread.

For my setup, since I'm using Virtualmin GPL, I did the following given the instructions that were provided in this thread already, which has worked miracles with my setup.

I added the following to "/etc/skel" directory:

/etc
   /php.ini

/fcgi-bin
   /php.fcgi

Then I added the following to the "Apache Website" section of each template (between the <Directory> tags:

In the "Options" line I added:

ExecCGI

Just before the </Directory> tag I added:

AddHandler fcgid-script .php
FCGIWrapper /home/domain_dir/fcgi-bin/php.fcgi .php

In addition to this, due to the way I treat "Sub-Servers" on my system, I also created a second "skel" directory for example purposes we'll call it "/etc/skel2" and added the directory/file setup as above, and simply modified the FCGIWrapper line to reflect the correct location to the "fcgi-bin" directory.

What this effectively does is, creates all the Apache directives, and places the corresponding files into the correct place under the domain's directory so they can be used.

Anyways, That's my setup!

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Sun, 11/29/2009 - 15:22
hescominsoon

found another way. I just set the user and group permissions to apache.

Wed, 01/27/2010 - 17:22 (Reply to #67)
get.the.MaX

But what happens if the user has ftp access? Than he is able to change the variables in the php-starter. How do i prevent this?

Wed, 01/27/2010 - 18:57 (Reply to #68)
Daworm

Don't add the user to apache... that's prob the worst thing you can do. Apache is meant to run AS user, not user run AS apache... that means they could access other users on the server.

If you are doing it for just yourself then it shouldn't be much of an issue I would think.

Thu, 01/28/2010 - 01:53 (Reply to #69)
jo

You cannot. Not that you're losing much.

Remember that somebody with FTP access can always install a CGI script written in Perl, C, or whatever he likes (or anybody who stole his FTP password). Scripts written in these languages do not limit resource usage.

To limit per-process RAM usage, you can use ulimits. To limit disk usage, use quotas. To limit things like HTTP request or answer size, you can configure Apache. Note that there are traps for the unwary here, it's easy to limit request sizes to 10K only to find out that nobody can upload a file of 10K or more - be careful what you limit. Have suhosin installed. It is quite intelligent about plugging security holes that typical PHP code leaves - but, as said, it's not going to help against malicious users or hackers who cracked an innocent user's account.

What you need is user-based resource management (where a "resource" is any of CPU cycles, RAM usage, and network traffic). Users that use more than their share of each resource get lower priority on the resource, so the others have a chance to catch up on usage. I do not know of anything for Linux that does that though. (I'd like to have it myself!) Instead, I have set up service monitoring, installed atop, and whenever the machine gets slow, I look which user is causing CPU or RAM overload, and tell them off.

Thu, 01/28/2010 - 07:08 (Reply to #70)
get.the.MaX

But its not recommend to save the php-fcgid inside users home. Thats a big securityhole. Sure i can limit processes but first off all it must be a "save" setup. The php-fcgid starters must be outside users home for example in /home/php-fcgbin or something like that.

Thu, 01/28/2010 - 13:27 (Reply to #71)
jo

Not putting php-fcgid inside a user's home is roughly equivalent to a road bump. I enumerated the reasons in the post before; I won't repeat them here.

Thu, 01/28/2010 - 07:20
Daworm

So it'll be fine to call these fcgid and php.ini settings from outside of the users /home/ directories? I'll change that myself then if that's the case.

Thu, 01/28/2010 - 07:26 (Reply to #73)
get.the.MaX

I think so. If thats the case users with FTP access cant change the settings from php.ini and php5.fcgi. I think this is to handle with a litte script, thats called after the virtualserver creation.

Thu, 01/28/2010 - 09:22 (Reply to #74)
get.the.MaX

Ok i wrote two little very dirty script.

http://pastebin.com/m167f7d41 http://pastebin.com/d493d706e

Goto to /etc/skel

mkdir fcgi-bin
cp path/to/your/php.ini .
create php5.fcgi with this content http://pastebin.com/d493d706e
chmod 755 php5.fcgi
create /usr/local/bin/php5.fcgi with this content http://pastebin.com/m167f7d41
chmod 0755 /usr/local/bin/php5.fcgi

Goto to Virtualmin Modul Config --> Actions upon server and user creation --> Command to run after making changes to a server /usr/local/bin/php5.fcgi

Goto Server Templates --> Apache website --> Directives and settings for new websites and paste http://pastebin.com/d8df4bd2 Permissions on website subdirectory 755

Now PHP-Fcgid should work. As i said its a very dirty script. I hope someone with better bashskills could improve the script.

Sun, 02/07/2010 - 20:41 (Reply to #75)
Daworm

Can you repost the content? Pastebin links are dead/expired...

Thu, 01/28/2010 - 13:33 (Reply to #76)
jo

php.fcgi needs to be owned by the user. And Unix permissions being what they are, there is no way you can prevent a user from overwriting the file contents with something of his liking.

(Well, there is, but it will create more problems at other levels.)

Please. Let the operating system take care of itself, and it will do just fine. For example, you cannot monitor the resource usage of Mysql anyway. Anybody running monster SQLs in his PHP scripts will bog down your server no matter what. And these monster SQLs can look very innocent, until you realize there's an index missing in the database.

Either know what you're doing (or learn it), or trust your users.

Wed, 02/03/2010 - 20:24
kiminox

Hi guys,

Thank you for your help! I tried to do that with my virtualmin: to use suExec but it doesn't work. Steps: 1) my apache config in the server template: SuexecUserGroup "#540" "#538" ServerName mydomain [...] Options -Indexes +IncludesNOEXEC ExecCGI +FollowSymLinks allow from all AllowOverride All AddHandler fcgid-script .php5 FCGIWrapper /home/mydomain/fcgi-bin/php5.fcgi .php5 [...] allow from all RemoveHandler .php 2) the structure of the domains folder: cgi-bin etc fcgi-bin homes public_html [...] 3) in the fcgi-bin: -rwxr-xr-x php5.fcgi -rw-r--r-- php.ini

Well, did I miss something? Thank you

Yoong

Thu, 02/04/2010 - 13:27
jo

There are so many ways that this could go wrong that "is doesn't work" doesn't tell us what to fix. You'll need to check the logs for error messages.

Fri, 02/05/2010 - 05:02
Bertik

Hello,

I have a question regarding this setup (mod_fcgid).
I have set up my server like this some while ago. I am running Ubuntu 8.04.
I have several virtual servers on the machine, each running its own php.ini (as explained in the earlier posts of this thread).

I would like to install Zend Optimizer to be able run encoded PHP script.
How do I proceed?
If I understand it right, when I install Zend Optimizer, the installation will make some changes to php.ini, it will make a symlink to its own php.ini, etc.....

But the php.ini for each user (virtual server) is unique for each, located in the users home directory.

Does anybody know how to make this work? Did anybody installed Zend Optimizer with this setup please?

Sat, 02/06/2010 - 09:00 (Reply to #80)
Bertik

I will answer my own question. Just in case somebody need it.

Well, it is very simple.

I have downloaded the Zend Optimizer and unpacked it in my home directory.
Then I edited php.ini file on website where I did need the Zend Optimizer and pointed it to location in home directory.
Instructions from Zend: http://kb.zend.com/index.php?View=entry&EntryID=424

Sun, 02/21/2010 - 21:31 (Reply to #81)
Daworm

Zend Optimizer will do all that we want with a simple click?

Thu, 04/15/2010 - 22:55
lvthunder

I'm new to Virtualmin GPL (only had my Linode VPS for 3 days) and can't get this to work. I'm running 32 bit Ubuntu 8.04 LTS and Virtualmin installed with the script. Here is what I have done.

I copied the php.ini file to /home/jeromehamilton/etc/php5/php.ini

I then created php.fcgi in /home/jeromehamilton/fcgi-bin/php.fcgi with the following text

#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi

I then edited jeromehamilton.com.conf in the /etc/apache2/sites-available/jeromehamilton.com.conf with the following text

<VirtualHost 173.230.146.106:80>
SuexecUserGroup "#1001" "#1002"
ServerName jeromehamilton.com
ServerAlias www.jeromehamilton.com
DocumentRoot /home/jeromehamilton/public_html
ErrorLog /var/log/virtualmin/jeromehamilton.com_error_log
CustomLog /var/log/virtualmin/jeromehamilton.com_access_log combined
ScriptAlias /cgi-bin/ /home/jeromehamilton/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/jeromehamilton/public_html>
Options -Indexes +IncludesNOEXEC +FollowSymLinks +ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/jeromehamilton/fcgi-bin/php.fcgi .php
</Directory>
<Directory /home/jeromehamilton/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.jeromehamilton.com
RewriteRule ^(.*) https://jeromehamilton.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.jeromehamilton.com
RewriteRule ^(.*) https://jeromehamilton.com:10000/ [R]
Alias /dav /home/jeromehamilton/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName jeromehamilton.com
AuthUserFile /home/jeromehamilton/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RewriteEngine off
</Location>
RedirectMatch /cgi-bin/mailman/([^/\.]*)(.cgi)?(.*) https://jeromehamilton.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
RedirectMatch /mailman/([^/\.]*)(.cgi)?(.*) https://jeromehamilton.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
</VirtualHost>

I also had to add the following to /etc/apache2/httpd.conf

ServerName lvthunder.com

lvthunder.com is my Fully Qualified Domain Name. I'm just starting with my new site I'm building and will be moving the old ones when I get it all working right.

So when I run phpinfo it still shows php.ini being run in /etc/php5/apache2/php.ini and the Apache user as www-data. I don't know what to do now. Can someone please help me?

Thanks,

Fri, 04/16/2010 - 06:05 (Reply to #83)
tpnsolutions
tpnsolutions's picture

Hi,

Did you make the "php.fcgi" script executable? (chmod 0755)

This is an often overlooked step. Also once you've completed the changes to Apache, you need to restart it to make the settings active.

If you've done the steps above, then can you provide a snippet of the error_log file which is produced upon accessing a PHP file on your server.

I've setup tons of servers using PHP via FCGI, and have had no issues.

If needed, I can be hired to resolve your issue for a modest fee.

-Peter

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Fri, 04/16/2010 - 09:41 (Reply to #84)
lvthunder

No I did not make php.fcgi executable. So I did and restarted Apache and now it won't start. Here is the error.log

[Fri Apr 16 07:23:08 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Fri Apr 16 07:23:08 2010] [notice] Digest: generating secret for digest authentication ...
[Fri Apr 16 07:23:08 2010] [notice] Digest: done
[Fri Apr 16 07:23:09 2010] [notice] Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g configured -- resuming normal operations
[Fri Apr 16 07:25:05 2010] [notice] caught SIGWINCH, shutting down gracefully
Fri, 04/16/2010 - 13:46 (Reply to #85)
lvthunder

I was able to restart the server and Apache started this time. I saw the error log in the virtual host just complain about not being able to find the favicon. In the log in /var/log/apache2/error.log I see.

[Fri Apr 16 11:35:59 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Fri Apr 16 11:35:59 2010] [notice] Digest: generating secret for digest authentication ...
[Fri Apr 16 11:35:59 2010] [notice] Digest: done
[Fri Apr 16 11:35:59 2010] [notice] Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g configured -- resuming normal operations

Is there another log somewhere I need to look at?

Fri, 09/03/2010 - 09:38
alimali1942

What I have done: 1) Made a directory and file "/home/DOMAIN-USER/fcgi-bin/php5.fcgi that literally has: [code:1]#!/bin/bash PHPRC=$PWD/../etc/php5 export PHPRC umask 022 SCRIPT_FILENAME=$PATH_TRANSLATED export SCRIPT_FILENAME exec /usr/bin/php-cgi[/code:1]

Diyet

Pages