Permissions problem when updating websites on Debian 8.10 and ISPConfig 3.1.13

Hello,
I have a problem when updating websites. When I edit the site settings in ISPConfig and save them, the site directory permissions change to Unknown User and Group and I have to manually reset the permissions. Statistics, wedav and PHP Fast CGI will stop working. I use Debian 8.10 and ISPConfig 3.1.13. I installed under the instructions of The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1) on howtoforge.com and according to the instructions of Installing Web, Email & MySQL Database Cluster on Debian 8.4 Jessie with ISPConfig 3.1 in ISPConfig 3.1 Manual. I have also set up my server settings according to the ISPConfig 3.1 Manual, no script editing, and so on. Other services work smoothly. Settings in System - Server Config - Web Tab are:

Sef folder permissons on update: OFF
Make web folders immutable (extended attributes): ON
Add web users to -sshusers- group: ON
Connect Linux userid to webid: ON
Start ID for userid/webid connect: 10000

Did someone meet a similar problem, or advise how to fix it?

Thank you in advance

 

This is mirrored setup, where server2 is mirror of server1.

Wrong permissions site after update in ISPconfig:

root@srv1:~# ls -la /var/www/clients/client1/web11
celkem 44
drwxr-xr-x 11 root root 4096 říj 22 2017 .
drwxr-xr-x 12 root root 4096 zář 6 2017 ..
drwxr-xr-x 2 10011 10009 4096 říj 22 2017 backup
drwxr-xr-x 2 root root 4096 čec 31 2017 cgi-bin
drwxr-xr-x. 2 root root 4096 srp 24 08:25 log
drwx--x--- 2 10011 10009 4096 čec 31 2017 private
drwx------ 2 10011 10009 4096 říj 18 2017 .ssh
drwxr-xr-x 2 root root 4096 srp 2 09:32 ssl
drwxr-xr-x 2 root root 4096 čec 31 2017 tmp
drwxr-xr-x 7 root root 4096 čec 31 2017 web
drwxr-xr-x 2 root root 4096 čec 31 2017 webdav

Another site after fixing permissions:

root@srv1:~# ls -la /var/www/clients/client1/web1
celkem 188
drwxr-xr-x 12 root root 4096 říj 22 2017 .
drwxr-xr-x 12 root root 4096 zář 6 2017 ..
drwxr-xr-x 2 web1 client1 4096 úno 14 2018 backup
drwxr-x--x 6 web1 client1 4096 srp 7 08:52 blog
drwxr-xr-x 2 web1 client1 4096 čec 25 2017 cgi-bin
drwxr-xr-x. 4 root root 4096 srp 24 06:29 log
drwx--x--- 2 web1 client1 4096 čec 25 2017 private
drwx------ 2 web1 client1 4096 říj 18 2017 .ssh
drwxr-xr-x 2 root root 4096 čec 25 2017 ssl
drwxrwx--- 2 web1 client1 143360 srp 24 08:55 tmp
drwxr-x--x 20 web1 client1 4096 čec 30 2017 web
drwx--x--- 6 web1 client1 4096 bře 20 10:24 webdav

ISPConfing was gradually upgraded from version 3.1.5 I think.

 

No, I have not change this option, but I update server config now and without succes

 

The mirror was fresh Debian installation

 

I chack all checboxes in Resync Tool. I assume, that may be issuse with users and shadows in sync, ho to fix it?

 

Very sorry.

 

Same site with wrong permissions on mirror:

root@srv2:~# ls -la /var/www/clients/client1/web11
celkem 44
drwxr-xr-x 11 root root 4096 úno 18 2018 .
drwxr-xr-x 12 root root 4096 úno 13 2018 ..
drwxr-xr-x 2 web11 client1 4096 úno 18 2018 backup
drwxr-xr-x 2 root root 4096 úno 13 2018 cgi-bin
drwxr-xr-x 2 root root 4096 srp 24 00:06 log
drwx--x--- 2 web11 client1 4096 úno 13 2018 private
drwx------ 2 web11 client1 4096 úno 13 2018 .ssh
drwxr-xr-x 2 root root 4096 srp 2 09:33 ssl
drwxr-xr-x 2 root root 4096 úno 13 2018 tmp
drwxr-xr-x 7 root root 4096 úno 13 2018 web
drwxr-xr-x 2 root root 4096 úno 13 2018 webdav

The /backup /private and /.ssh dirs are good on mirror, on master was wrong.

 

Yes, it do:
File with 1 is from master server, without 1 is from mirror. I assume thet from master is OK and from mirror is wrong:

root@srv2:/etc# diff passwd passwd1
42a43,52
> web1:x:5004:5005::/var/www/clients/client1/web1:/bin/false
> web2:x:5005:5005::/var/www/clients/client1/web2:/bin/false
> web5:x:5006:5005::/var/www/clients/client1/web5:/bin/false
> web7:x:5007:5005::/var/www/clients/client1/web7:/bin/false
> web9:x:5008:5005::/var/www/clients/client1/web9:/bin/false
> web10:x:5009:5005::/var/www/clients/client1/web10:/bin/false
> web11:x:5010:5005::/var/www/clients/client1/web11:/bin/false
> web12:x:5011:5005::/var/www/clients/client1/web12:/bin/false
> web13:x:5012:5005::/var/www/clients/client1/web13:/bin/false
> web14:x:5013:5005::/var/www/clients/client1/web14:/bin/false
44,53d53
< web9:x:10009:10009::/var/www/clients/client1/web9:/bin/false
< web1:x:10006:10009::/var/www/clients/client1/web1:/bin/false
< web7:x:10008:10009::/var/www/clients/client1/web7:/bin/false
< web10:x:10010:10009::/var/www/clients/client1/web10:/bin/false
< web2:x:10002:10009::/var/www/clients/client1/web2:/bin/false
< web13:x:10013:10009::/var/www/clients/client1/web13:/bin/false
< web11:x:10011:10009::/var/www/clients/client1/web11:/bin/false
< web5:x:10005:10009::/var/www/clients/client1/web5:/bin/false
< web14:x:10014:10009::/var/www/clients/client1/web14:/bin/false
< web12:x:10012:10009::/var/www/clients/client1/web12:/bin/false

root@srv2:/etc# diff group group1
68c68
< sshusers:x:5002:web9,web1,web7,web10,web2,web13,web11,web5,web14,web12
---
> sshusers:x:5002:web1,web2,web5,web7,web9,web10,web11,web12,web13,web14
71,72c71,72
< ispconfigend:x:20000:
< client1:x:10009:www-data
\ Chybí znak konce řádku na konci souboru
---
> client1:x:5005:www-data
> ispconfigend:x:20000:

How to safely fix this on production server, please?

 

I added a mirror to an existing master server with websites and then enabled the Connect Linux userid to webid, the other options I did not change and were the same for both servers.

So I will do the repair:

Transfer the web* user from the master server to passwd and shadow file, client * groups in group and gshadow file on mirror. I restart the mirror. The options in the Config / Web Server will be:

Make web folders immutable (extended attributes): ON
Add web users to -sshusers- group: ON
Connect Linux userid to webid: ON
Start ID for userid / webid connect: 10000

Am I correct?

Can I use the option Sef folder permissons on update on mirrored setup?

 

I have found that neither the master server nor the mirror there are no all clients in shadow, group, gshadow, and passwd. I have three clients and included only one. So I will probably have to add missing clients manually? Client ID 1 has Group ID 10009 on the system. What is the correct group ID in the system for ISPConfig, is this 1000 + ID of the client?

 

Yes, just gshadow and group, I'm sorry. Thank you for the explanation.

 

Thanks a lot, everything works perfectly. I only have a problem with site stats when using AWStats. When I visit domain.tld/stats, enter the admin username and the correct password, I will see 404 error and the Apache log is:

[Thu Sep 06 10:44:02.064521 2018] [authz_core:error] [pid 155056] [client xxx.xxx.xxx.xxx:52861] AH01630: client denied by server configuration: /var/www/domain.tld/web/stats/index.php

Symlink /var/www.domain.tld/web/stats exists and stats directory has owner of website owner and client group with permissions 755 and index.php has the same owner with permissions 644. I wait more then 48 hours to AWStats collect data. I use Suexec and no manual site config file.

 

Yes, here it is:

xxx.xxx.xxx.xxx - - [07/Sep/2018:09:20:15 +0200] "GET /stats/ HTTP/1.1" 401 2148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
xxx.xxx.xxx.xxx - - [07/Sep/2018:09:20:29 +0200] "GET /stats/ HTTP/1.1" 403 2102 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
xxx.xxx.xxx.xxx - - [07/Sep/2018:09:20:30 +0200] "GET /favicon.ico HTTP/1.1" 404 2098 "http://www.domain.tld/stats/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3