A few days agot upgraded ispconfig to 2.2.21 (from 2.2.1x) and since then, none of my websites are able to run squirrelmail (installed in /usr/share/squirrelmail and symlinked to ~/web/webmail, same effect also with an Alias of /webmail to /usr/share/squirrelmail) or access the DB.php PHP package (installed in /usr/share/php/DB.php) from a custom php script. Checking/Unchecking "PHP Safe mode" does not have any effect. If I make a symlink from /home/www/web6/web/webmail to /usr/share/squirrelmail (or add an appropriate alias to the apache config), then I get an error message in error.log: Code: "No user or group set - set suPHP_UserGroup" which I don't understand, since suPHP_UserGroup is called correctly in Vhosts_ispconfig.conf (and works for other php scripts like dokuwiki, installed inside the user's home dir). If I simply copy over all files from /usr/share/squirrelmail to /home/www/web6/webmail/, then I get the error message Code: "Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(config/config.php) is not within the allowed path(s): (/home/www/web6) in /home/www/web6/web/webmail2/index.php on line 15" The other problem appears when trying to include the DB.php pear package for database access from php. There, I always get the error message: Code: Warning: require(DB.php) [function.require]: failed to open stream: No such file or directory in /home/www/web6/web/php/news.class.php on line 2 Fatal error: require() [function.require]: Failed opening required 'DB.php' (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/web6/web/php/news.class.php on line 2 which is even weirder, since the DB.php file is in /usr/share/php! How can I restore the state from before the upgrade, i.e. that the users are allowed to run squirrelmail (and no, I don't want them to use the :81/squirrelmail/ package, since I changed the webmail URL only a few months ago and it was hard enought telling all my users about the changed URL and make the update their bookmarks, etc. I can't change that again!) and that the PHP scripts are allowed to use system-wide installed php packages, too. Thanks a lot, Reinhold
The latest ISPConfig comes with a more secure suphp configuration which will not allow to call system wide scripts for security reasons. If you really want to use system wide scripts, you will have to change the suphp wrapper script in /home/admispconfig/ispconfig/tools/suphp/usr/bin
Thanks for the hint, I was looking for a suphp.conf file and only looked in /root/ispconfig, but not in /home/admispconfig... I think it's really unfortunate that providing system-wider scripts (and even packages!!!) is no longer possible. This way, every!!! user e.g. has to copy the whole webmail package into his own userdir. Also, providing e.g. a dokuwiki farm is not possible now. Imagine what a security nightmare it will be if a flaw e.g. in squirrelmail is found! Telling all domain owners about this and making sure that they really upgrade is so much more work than upgrading the system-wide installation once... Anyway, I'm simply removing the open_basedir setting, since I really need system-wide scripts. However, I'm still having a problem with symlinked ~/web/webmail/ to /usr/share/squirrelmail/. Whenever I call www.domain.tld/webmail/, I get a server error and the log file contains "No user or group set - set suPHP_UserGroup" That's weird, since the vhost section for that domain contains a suPHP_UserGroup definition! Cheers, Reinhold
