Hello, I have an installation of ISPConfig 2.2.21 and have installed suPHP according to the howot found at http://www.howtoforge.com/install-suphp-on-various-linux-distributions-for-use-with-ispconfig-2.2.20-and-above suPHP now seems to be working well for php-scripts and textpattern sites when using 0664 access rights on files. However, I want to have 0600 so no ftp-user or shell-user can see files from another web. But if I give group and other no read rights apache throws an error 403. What do I need to do? Here is my config: From /etc/apache2/vhosts/Vhosts_ispconfig.conf: Code: ################################### # # ISPConfig vHost Configuration File # Version 1.0 # ################################### # NameVirtualHost xxx.xxx.xxx.249:80 <VirtualHost xxx.xxx.xxx.249:80> ServerName localhost ServerAdmin root@localhost DocumentRoot /var/www/sharedip </VirtualHost> # # ###################################### # Vhost: www.yyyy.de:80 ###################################### # # <VirtualHost xxx.xxx.xxx.249:80> SuexecUserGroup web1_ web1 ServerName www.yyyy.de:80 ServerAdmin [email protected] DocumentRoot /var/www/web1/web ServerAlias yyyy.de DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 i ndex.shtml index.cgi index.pl index.jsp Default.htm default.htm Alias /cgi-bin/ /var/www/web1/cgi-bin/ AddHandler cgi-script .cgi AddHandler cgi-script .pl ErrorLog /var/www/web1/log/error.log AddType application/x-httpd-php .php .php3 .php4 .php5 <Directory /var/www/web1/web> suPHP_Engine on suPHP_UserGroup web1_ web1 AddHandler x-httpd-php .php .php3 .php4 .php5 suPHP_AddHandler x-httpd-php SetEnv php_safe_mode Off </Directory> Alias /error/ "/var/www/web1/web/error/" ErrorDocument 400 /error/invalidSyntax.html ErrorDocument 401 /error/authorizationRequired.html ErrorDocument 403 /error/forbidden.html ErrorDocument 404 /error/fileNotFound.html ErrorDocument 405 /error/methodNotAllowed.html ErrorDocument 500 /error/internalServerError.html ErrorDocument 503 /error/overloaded.html AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3 AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3 </VirtualHost> If I access a file with 0600 (-rw-------) access rights, the browser shows an error 403 and I get an entry in /var/www/web1/log/error.log Code: [Wed Mar 19 19:29:40 2008] [error] [client xx.xxx.xxx.xx] (13)Permission denied: file permissions deny server access: /var/www/web1/web/index.html Partial Workaround: A partial workaround I have found so far is add the user www-data to the group of the web and set access-rights to 0660. The disadvantage is that www-data needs to be added manually to every group.
Yes it is. The user "web1_" has the admin-flag set in the ISPConfig web-interface and the user web1_ owns the directories and files. Code: zwei:/var/www/web1/web# ls -lha insgesamt 160K drwxrwxr-x 26 web1_ web1 4,0K 2008-03-20 18:15 . drwxr-xr-x 9 web1_ web1 4,0K 2008-03-19 18:37 .. [...] -rw-r----- 1 web1_ web1 52 2008-03-20 18:20 test.html [...] BTW, should the thread be moved into the ISPConfig-Installation/Configuration Forum? Thanks a lot.
The complete content of /etc/suphp.conf is: Code: [global] ;Path to logfile logfile=/var/log/suphp.log ;Loglevel loglevel=info ;User Apache is running as webserver_user=www-data ;Path all scripts have to be in docroot=/ ;Path to chroot() to before executing script ;chroot=/mychroot ; Security options allow_file_group_writeable=true allow_file_others_writeable=false allow_directory_group_writeable=true allow_directory_others_writeable=false ;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=true ;Send minor error messages to browser errors_to_browser=false ;PATH environment variable env_path=/bin:/usr/bin ;Umask to set, specify in octal notation umask=0077 ; Minimum UID min_uid=100 ; Minimum GID min_gid=100 [handlers] ;Handler for php-scripts x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper ;Handler for CGI-scripts x-suphp-cgi=execute:!self
Looks ok. I couldn't find anything about it on the web, but I think that Apache still needs read access to the files.