fastcgi and php on Debian etch walkthrough

I guess he patches it because php-fcgi-starter is owned by root, and we want this to be executed by suexec but not modifiable by the user. So what he wants to do is avoid error 120.
But when I try it, it already exits at error 107 with

Code:

[2007-10-06 14:17:42]: uid: (root/root) gid: (0/0) cmd: php-fcgi-starter
[2007-10-06 14:17:42]: cannot run as forbidden uid (0/php-fcgi-starter)

I would be interested in that too!

Furthermore, with this tutorial, they forget to set e.g. AP_HTTPD_USER, which is for example mentioned here: http://www.howtoforge.com/forums/showthread.php?t=4606

 

Ehm... seems to me that the present tutorial completely ignores the fact that one should set SuexecUserGroup in vhost config. !?

 

We were looking for better security. Changing permissions of the vhost root (/var/www/webX) to 750 allows only the owner and group members to access any content of the web site. In order for apache to be still able to access content the apache user needs to be member of each web site group. But you don't need this just for php-fastcgi to work.

I haven't tried on sarge. I assume you didn't have to patch suexec on sarge?

 

That's correct but I think that ispconfig creates that line in its vhosts file if suexec is enabled (both in apache and in ispconfig)

 

Ah ok... it is not unimportant to know that Suexec should simply be enabled in ISPConfig... (and in Apache)

BTW I have created the previously mentioned diff (with context), could someone check that the patch is indeed correct (I made it against ISPconfig 2.2.16)

Code:

--- config.lib.php      2007-08-24 11:39:25.000000000 +0200
+++ /root/ispconfig_mods/scripts/lib/config.lib.php.fcgipatch   2007-10-08 09:57:42.000000000 +0200
@@ -1134,6 +1145,8 @@

   ///////////////// admispconfig der Gruppe hinzufügen ////////////////
   $mod->system->add_user_to_group("web".$doc_id);
+  // FASTCGI - added 1 line
+  //$mod->system->add_user_to_group("web".$doc_id,$apache_user);
   //////////////////// admispconfig der Gruppe hinzufügen ENDE //////////////

   $apache_user = $this->apache_user;
@@ -1142,8 +1155,11 @@
     exec("chown -R $apache_user:web$doc_id $web_path &> /dev/null");
     exec("chmod -R 775 $web_path");
     exec("chmod -R 775 $web_path_realname");
-    exec("chmod 755 $web_path");
-    exec("chmod 755 $web_path_realname");
+    // FASTCGI - comment 2 existing lines, added 2 lines
+    //exec("chmod 755 $web_path");
+    //exec("chmod 755 $web_path_realname");
+    exec("chmod 750 $web_path");
+    exec("chmod 750 $web_path_realname");
     exec("chmod 755 $web_path/user"); // user-Verzeichnis sollte nicht group-writable sein, weil Sendmail sonst warnings ausgeben könnte wg. der .forward-Datei
     exec("chmod 755 $web_path/log");
     exec("chmod 755 $web_path/ssl");
@@ -1403,11 +1419,25 @@
 AddHandler cgi-script .pl";

     if($web["web_php"]){
+      //FASTCGI (here we could add a handler for different versions of php and php.ini files
+      //FASTCGI Modification - added variable and if statement
+      $fcgip = $mod->system->server_conf["server_path_httpd_root"]."/php-fastcgi/"."web".$web["doc_id"];
+      if(!file_exists($fcgip."/php-fcgi-starter")) {
+       $mod->log->msg("creating $fcgip"."/php-fcgi-starter");
+       if(!file_exists($fcgip)) {
+         exec("mkdir -p $fcgip");
+       }
+       exec("cp -p /root/ispconfig/scripts/php-fcgi-starter ".$fcgip."/ && chown root:root ".$fcgip."/php-fcgi-starter");
+      }
       if($apache_version == 1){
-        $php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
+       // FASTCGI, commented 1 line, added 1 line
+        //$php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
+       $php = "ScriptAlias /php-fastcgi/ $fcgip/\n";
       }
       if($apache_version == 2){
-                  $php = '';
+       // FASTCGI, commented 1 line, added 1 line
+       //$php = '';
+       $php = "ScriptAlias /php-fastcgi/ $fcgip/\n";
                 if($go_info["server"]["apache2_php"] == 'addtype' or $go_info["server"]["apache2_php"] == 'both' or $go_info["server"]["apache2_php"] == 'suphp') {
                         $php .= "AddType application/x-httpd-php .php .php3 .php4 .php5\n";
                 }
@@ -1440,10 +1470,12 @@
                   $php .= "suPHP_AddHandler x-httpd-php\n";
           }

+         // FASTCGI, disabled if block
+         /*
           if($go_info["server"]["apache2_php"] != 'suphp') {
               if($web["web_php_safe_mode"]){
                 $php .= "\nphp_admin_flag safe_mode On
-php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/
+php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/:/usr/share:/usr/local/share:/etc/phpbb2:/etc/drupal:/tmp
 php_admin_value file_uploads 1
 php_admin_value upload_tmp_dir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/
 php_admin_value session.save_path ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/";
@@ -1451,6 +1483,8 @@
                 $php .= "\nphp_admin_flag safe_mode Off";
               }
         }
+         */
+         // FASTCGI - end disable if block
     } else {
       $php = "";
     }

 

Oh well currently there's no more sarge but etch out there.
I don't know if it works with standard suexec, I would guess it doesn't because apache runs as www-data and the fcgi-starter is owned by root. But I haven't tried.

 

Permissions Group and Users

Hello to everyone,

first thanks for the good work.
Second I have a Question:

I think ispconfig did not set the Group and the User correct for the webs after patching the config.lib.php.

What are correct Groups and Users for different Webs?
Example: www-data:web3 or web3:web3 or nobody:web3?

In Vhostconfig the suexec user is nobody and the group i.e web3.
Is this O.K.?

Thanks for any suggestions
Andreas

 

You need an administrator user for the site. Then the nobody or www-data will go away.

 

Permissions

O.K. after setting the dministrator nobody is blown away

But no I cannot access any site on the webspace. I get a 403 error "You don't have permission"

What can be wrong

Andreas

 

Permissions Group and Users

Once again,

sorry but I have more Questions.

meemu, ist it possible to use your patch with ispconfig version 2.2.18?

And how I can apply the patch. May be I'm a little bit stupid, but with "patch -p1" ist is not possible.

When I want to cal "phpinfo()" I get a 500 Error an the log file say:
"[Fri Dec 07 11:39:57 2007] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web5/php-fcgi-starter" (pid 12344) terminated by calling exit with status '1'
[Fri Dec 07 11:39:57 2007] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web5/php-fcgi-starter" has failed to remain running for 30 seconds given 3 attempts, its restart interval has been backed off to 600 seconds
"
Any Ideas?

THanks fror your reply
Andreas

 

not really. is that all you get in any of the logs?

anything in the suexec.log?

 

Suexec.log ?

I think there must be something more wrong, because I have no suexec.log

How I can apply your patch because I have the patch from "jmroth" and is ti for 2.2.18?

 

what sort of error do you get when you run patch?
what does your /etc/apache2/vhosts/Vhosts_ispconfig.conf file look like?

 

Wrong interpretation of your tutotial - my Fault

Hello meemo,

my Fault. I forgot to apply the debian Patches to suexec with "debian/rules". Now it works.
Thanks for your replys.
Andreas

 

Hello with all, I seek good Doc., for me to transform the configuration which I have in suphp in fastcgi or php-cgi in fastcgi, because I have to test Doc. below, but if there would be patch to transform certain thing, that will help me more easily, if you see what I want to say., thank you for your assistance....

Only the thing that I do not find, is that I seek, it is how to apply the patch, in the file :

MM

 

You're right it's missing in the walkthrough. Try something like this:

Code:

cd /root/ispconfig/scripts/lib
 patch -l --verbose config.lib.php < name of patchfile

 

Hello with all, I tested the patch, is I obtain a message of error, is in more when I want to see whether the modification to be functioned, like carrying out a research in the file to find there the word "fastcgi", it this does not find, then like making... Good day,

MM

 

will this howto work with an existing setup with some sites already running? What would I have additionally to do?

 

ok, big problem after applying all of this...

Websites don't work. Error 500 after 30sec
New sites in ISPconfig are not added to vhosts
I can't find a suexec.log file

Errors in httpd error_log after a fresh restart:

Code:

[Wed Feb 27 23:05:26 2008] [notice] SIGUSR1 received.  Doing graceful restart
[Wed Feb 27 23:05:26 2008] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/local/lib/apache2/suexec-fcgi)
[Wed Feb 27 23:05:26 2008] [notice] FastCGI: process manager initialized (pid 4991)
[Wed Feb 27 23:05:26 2008] [notice] Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c configured -- resuming normal operations
[Wed Feb 27 23:05:26 2008] [warn] long lost child came home! (pid 4620)
[Wed Feb 27 23:05:29 2008] [error] [client 84.153.12.92] File does not exist: /var/www/sharedip/favicon.ico
[Wed Feb 27 23:05:50 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (uid 10001, gid 10003) started (pid 5133)
suexec failure: could not open log file
fopen: No such file or directory
[Wed Feb 27 23:05:50 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (pid 5133) terminated by calling exit with status '1'
suexec failure: could not open log file
fopen: No such file or directory
[Wed Feb 27 23:05:55 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (uid 10001, gid 10003) restarted (pid 5135)
[Wed Feb 27 23:05:55 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (pid 5135) terminated by calling exit with status '1'
suexec failure: could not open log file
fopen: No such file or directory
[Wed Feb 27 23:06:00 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (uid 10001, gid 10003) restarted (pid 5139)
[Wed Feb 27 23:06:00 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (pid 5139) terminated by calling exit with status '1'
suexec failure: could not open log file
fopen: No such file or directory
[Wed Feb 27 23:06:05 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (uid 10001, gid 10003) restarted (pid 5141)
[Wed Feb 27 23:06:05 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" (pid 5141) terminated by calling exit with status '1'
[Wed Feb 27 23:06:05 2008] [warn] FastCGI: (dynamic) server "/var/www/php-fastcgi/web3/php-fcgi-starter" has failed to remain running for 30 seconds given 3 attempts, its restar
t interval has been backed off to 600 seconds

here is the first occurence of the new user in ispconfig logfile:

Code:

27.02.2008 - 22:55:14 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 2470: WARNING: could not httpd -t  &> /dev/null
27.02.2008 - 22:55:14 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 2481: httpd syntax seems to contain errors, reloading with old configuration
27.02.2008 - 22:55:14 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 2482: mv -f /etc/apache2/vhosts/Vhosts_ispconfig.conf /etc/apache2/vhosts/Vhosts_ispconfig.conf_
27-02-08_22-55-14
27.02.2008 - 22:55:14 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 2483: mv -f /etc/apache2/vhosts/Vhosts_ispconfig.conf~ /etc/apache2/vhosts/Vhosts_ispconfig.conf
27.02.2008 - 22:55:14 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 728: /etc/init.d/apache2 reload &> /dev/null
27.02.2008 - 22:55:14 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1944: cp -fr /etc/proftpd_ispconfig.conf /etc/proftpd_ispconfig.conf~
27.02.2008 - 23:03:08 => INFO - Signalfile Set: insert
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1087: cp -fr /root/ispconfig/isp/error_de /var/www/web7/web/error
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1095: cp -fr /root/ispconfig/isp/standard_index.html_de /var/www/web7/web/index.html
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1127: ln -s /var/www/web7 /var/www/www.oeschey-it.de
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 94: setquota -g web7 0 0 0 0 -a &> /dev/null
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 95: setquota -T -g web7 604800 604800 -a &> /dev/null
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 116: Connected successfully
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 214: MySQL FLUSH PRIVILEGES
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 137: cp -fr /etc/postfix/local-host-names /etc/postfix/local-host-names~
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 284: cp -fr /etc/postfix/virtusertable /etc/postfix/virtusertable~
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 289: postmap hash:/etc/postfix/virtusertable
27.02.2008 - 23:03:15 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1264: cp -fr /etc/apache2/vhosts/Vhosts_ispconfig.conf /etc/apache2/vhosts/Vhosts_ispconfig.conf
~
27.02.2008 - 23:03:15 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:15 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:15 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:15 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:15 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:15 => INFO - creating /var/www/php-fastcgi/web7/php-fcgi-starter
27.02.2008 - 23:03:16 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 2470: WARNING: could not httpd -t  &> /dev/null
27.02.2008 - 23:03:16 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 2481: httpd syntax seems to contain errors, reloading with old configuration
27.02.2008 - 23:03:16 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 2482: mv -f /etc/apache2/vhosts/Vhosts_ispconfig.conf /etc/apache2/vhosts/Vhosts_ispconfig.conf_
27-02-08_23-03-16
27.02.2008 - 23:03:16 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 2483: mv -f /etc/apache2/vhosts/Vhosts_ispconfig.conf~ /etc/apache2/vhosts/Vhosts_ispconfig.conf
27.02.2008 - 23:03:16 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 728: /etc/init.d/apache2 reload &> /dev/null
27.02.2008 - 23:03:16 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 728: /etc/init.d/postfix stop &> /dev/null
27.02.2008 - 23:03:16 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 728: /etc/init.d/postfix start &> /dev/null
27.02.2008 - 23:03:17 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_bind.lib.php, Line 278: create /etc/bind/pri.oeschey-it.de
27.02.2008 - 23:03:17 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_bind.lib.php, Line 124: cp -fr /etc/bind/named.conf /etc/bind/named.conf~
27.02.2008 - 23:03:17 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_bind.lib.php, Line 403: cp -fr /etc/bind/pri.129.114.85.in-addr.arpa /etc/bind/pri.129.114.85.in-ad
dr.arpa~
27.02.2008 - 23:03:19 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 728: /etc/init.d/bind9 restart &> /dev/null
27.02.2008 - 23:03:19 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1944: cp -fr /etc/proftpd_ispconfig.conf /etc/proftpd_ispconfig.conf~
27.02.2008 - 23:03:31 => INFO - Signalfile Set: insert
27.02.2008 - 23:03:40 => INFO - USER:
web7_lars:x:10007:10007:Lars:/var/www/web7:/dev/null
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 661: cp -fr /root/ispconfig/isp/user_standard_index.html_de /var/www/web7/user/web7_lars/web/ind
ex.html
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 717: setquota -u web7_lars 0 0 0 0 -a &> /dev/null
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 718: setquota -T -u web7_lars 604800 604800 -a &> /dev/null
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_procmail.lib.php, Line 57: cp -f /root/ispconfig/isp/conf/forward.master /var/www/web7/.forward
27.02.2008 - 23:03:40 => INFO - maildirmake /var/www/web7/user/web7_lars/Maildir &> /dev/null, Line 106: maildirmake /var/www/web7/user/web7_lars/Maildir &> /dev/null
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_procmail.lib.php, Line 113: symlink /var/www/web7/Maildir
27.02.2008 - 23:03:40 => INFO - chown web7_lars:web7 /var/www/web7/user/web7_lars/.spamassassin
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 137: cp -fr /etc/postfix/local-host-names /etc/postfix/local-host-names~
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 284: cp -fr /etc/postfix/virtusertable /etc/postfix/virtusertable~
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 289: postmap hash:/etc/postfix/virtusertable
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1264: cp -fr /etc/apache2/vhosts/Vhosts_ispconfig.conf /etc/apache2/vhosts/Vhosts_ispconfig.conf
~
27.02.2008 - 23:03:40 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:40 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:40 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:40 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:40 => INFO - HTTPD_SYNTAX_CHECK: suexec
27.02.2008 - 23:03:40 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 2470: WARNING: could not httpd -t  &> /dev/null
27.02.2008 - 23:03:40 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 2481: httpd syntax seems to contain errors, reloading with old configuration
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 2482: mv -f /etc/apache2/vhosts/Vhosts_ispconfig.conf /etc/apache2/vhosts/Vhosts_ispconfig.conf_
27-02-08_23-03-40
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 2483: mv -f /etc/apache2/vhosts/Vhosts_ispconfig.conf~ /etc/apache2/vhosts/Vhosts_ispconfig.conf
27.02.2008 - 23:03:40 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 728: /etc/init.d/apache2 reload &> /dev/null

Anything else I should post? I need desperate help, since all my sites are down now

 

it says it cant create the suexec log file.
try
on mine it is /var/log/apache2/suexec.log
permissions are 640 (root/adm)

you should probably create it manually first (using touch)
then check permissions but that should be okay as the suexec runs as root -- btw does it have the suid set?