Hi folks, I have some sort of permission problem regarding php wanting to change/create files: Imagine I have a web at /var/www/web1/web: Code: drwxrwxr-x 7 web1_benjamin web1 4096 2006-07-12 20:52 web which obviously belongs to web1_benjamin. Now, any php script residing in this (or any deeper) directory that wants to create or modify files will spit out an error: Code: Warning: touch() [function.touch]: Unable to create file test.txt because Permission denied in /var/www/web1/web/test/test.php on line 5 PHP will succeed in creating/modifying files when I either chmod a+w or chgrp www-data the directory. The first is not really desired (I'd actually like ISPConfig to create directories w/o any rights for others....) and the second means handwork. Secondly, the created files are user www-data and group www-data: Code: -rw-r--r-- 1 www-data www-data 0 2006-09-20 21:33 test.txt OK, let's sum it up: How do I make ISPConfig create directories rwxrwx--- when it sets up a web How do I make Apache/PHP use the user/group of the web it's working in to create/modify files? PS: this is ISPConfig 2.2.0, running on Ubuntu 5.10
1) you will have to change the sources for this. 2) Run PHP with suPHP or as cgi with suexec instead of mod_php, so the php scripts will run under the admin user of the website. You will have to update to ISPConfig 2.2.6 to be able to use suPHP together with ISPConfig.
I upgraded to 2.2.6 (seems to be working just fine), and also tried to switch from PHP5 as a module to PHP5 as a CGI. Starting Apache gives me this error: Code: Invalid command 'php_admin_flag', perhaps mis-spelled or defined by a module not included in the server configuration Many questions: 1a) Do I understand this correctly, that php_admin_flags can only be put in the apache config files when PHP is a module? 1b) Should they be in a .htaccess if PHP is a cgi? 2) Do I have to activate the "Suexec" option in Management->Server->Settings? 3) Does ISPConfig need to know (by some setting) that I want to use PHP as a cgi? 4) Did I go wrong somewhere?
1a) yes 1b) It does not work in .htaccess files too. 2) yes. 3) no, but you will have to deactivate the sfaemode checkboxes, as safemode is not supported in cgi-php. 4) no, just deactivate safemode in the website settings.
I took one of my webs and disabled safe_mode, and ISPConfig still uses "php_admin_flag safe_mode Off", so Apache will stumble over that config line again.... the vhost now looks like this: Code: <VirtualHost 85.85.85.85:80> Include /etc/apache2/vhost_includes/bla.de.conf ServerName www.bla.de:80 ServerAdmin [email protected] DocumentRoot /var/www/web12/web ServerAlias bla.de DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm ScriptAlias /cgi-bin/ /var/www/web12/cgi-bin/ AddHandler cgi-script .cgi AddHandler cgi-script .pl ErrorLog /var/www/web12/log/error.log AddType application/x-httpd-php .php .php3 .php4 .php5 <Files *.php> SetOutputFilter PHP SetInputFilter PHP </Files> <Files *.php3> SetOutputFilter PHP SetInputFilter PHP </Files> <Files *.php4> SetOutputFilter PHP SetInputFilter PHP </Files> <Files *.php5> SetOutputFilter PHP SetInputFilter PHP </Files> php_admin_flag safe_mode Off AddType text/html .shtml AddOutputFilter INCLUDES .shtml Alias /error/ "/var/www/web12/web/error/" ErrorDocument 400 /error/invalidSyntax.html ErrorDocument 401 /error/authorizationRequired.html ErrorDocument 403 /error/forbidden.html ErrorDocument 404 /error/fileNotFound.html ErrorDocument 405 /error/methodNotAllowed.html ErrorDocument 500 /error/internalServerError.html ErrorDocument 503 /error/overloaded.html AliasMatch ^/~([^/]+)(/(.*))? /var/www/web12/user/$1/web/$3 AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web12/user/$1/web/$3 </VirtualHost>
I'am not sure if the suphp setting is compatible with cgi-php, but its worth atry. Please change the line: $go_info["server"]["apache2_php"] = 'both'; to: $go_info["server"]["apache2_php"] = 'suphp'; in the config.inc.php file, then edit your website settings so ISPConfig recreates your config files.
This gave me more Apache startup errors, complaining about "suPHP" settings. Whatever, I took directions on the web how to enable mod_php and php-cgi side by side so I can play a little... A correct implementation for the needs I described in the beginning (php scripts run with the user/group of the web they're in) you need the following things: - php(4|5)-cgi - /etc/apache2/conf.d/php(4|5)-cgi config file like: Code: Action application/x-php4-cgi /cgi-bin/php4 AddType application/x-php4-cgi .cphp - a link in /var/www/webxy/cgi-bin/ to /usr/lib/cgi-bin/php(4|5) (not symbolic) and what's the most didfficult part: - a self-compiled suexec binary (/usr/lib/apache2/suexec2) that will not complain about the ownership of the php cgi binary Jeez, am I the first to want this scheme for the hosting users?
Then dont use the PHP cehckboxes at all and copy the lines: In the apache directives field of the website. No, but most users are using SuPHP instaed of SuExec, which works fine with ISPConfig.
My server still unable to use Suexec Hi guys, Thanks to Till Brehm for setting up my server. I'm confused on why the Suexec doesn't work on my server. I tried enabling it on the system setting and disable PHP Safe Mode on the site that I want to use Suexec on. Is there anything that I did wrong? What should I do to check whether my server support Suexec or not? Thanks
I Guess suexec is compiled into your server. Simply turning on SuEXEC does not mean tht PHP is now run as CGI, you will have to install a CGI PHP binary and add some additional apache configuration code to the apache directives field to enable php as CGI. If you want to use SuPHP, make sure that SuPHP is available for your linux distribution and enable SuPHP in the config.inc.php file.
Thank Til, I'm still wondering on the difference between suPHP and suexec, and phpsuexec. If someone could point me to the right direction on how to get the comparison for all these things that will be great. From what I can understand, there is no need to run suexec, because suphp run faster and it also run as the owner of the site, so there is no need to chmod file into 777, while in suexec, I believe it's more secured and slower. Am I correct? I'll do my homework by searching through this forum on how to run suphp with ispconfig, but if someone can guide me through this, it will be AWESOME. Thank you guys for this great software. I'm not a linux user, but I'm starting to get used with linux command line, lol
Yes I did Falko, in fact I figured out that SuPHP is not compatible with Apache 2.2, am I correct? I might be able to compile PHP-CGI binary to run as an alternative of using PHP module, but to be honest, compiling the binary is a lot of hassle, considering myself as not a linux user, lol.... I would prefer to have SuPHP installed, so by default all php will run by its own permission. Could you justified my above statement regarding compatibility issue? My Apache version is Apache 2.2.2 which run under Fedora Core 5.
Yes, I think so. There are still lots of modules missing for apache 2.2 PHP-CGI binaries come with most linux distributions, you dont have to compile them yourself.
So do you guys think it's worth a try to down grade apache server from 2.2 to 2.1 maybe, so that I'll be able to use SuPHP? Or do you think it's better to just use SuExec? Btw Till, do you know where is the exact location on how to get the binary file for php-cgi on Fedora Core 5? Sorry for being such a noob... I also wonder about the checkbox for enabling SuEXEC on the server setting. What is it for? Will it make a difference if I check or uncheck the checkbox? Thanks for all the reply guys....
You can find out by running Code: updatedb locate php5 If you enable suExec, ISPConfig will enable suExec for each vhost.
