After update the kernel from 3.2.0.x to 4.9.xx-grsec, the php scripts are showing a 500 internal error. The HTML pages are working, it seems to be a problem with the fcgi. The new grsec kernel complains about trusting the execution: /var/log/kern.log: Code: Aug 3 00:56:31 host kernel: [ 3777.526944] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /var/www/php-fcgi-scripts/web4/.php-fcgi-starter by /var/www/php-fcgi-scripts/web4/.php-fcgi-starter[suexec:9158] uid/euid:5007/5007 gid/egid:5007/5007, parent /usr/sbin/apache2[apache2:1599] uid/euid:0/33 gid/egid:33/33 Aug 3 00:56:37 host kernel: [ 3783.225178] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /var/www/php-fcgi-scripts/web4/.php-fcgi-starter by /var/www/php-fcgi-scripts/web4/.php-fcgi-starter[suexec:9164] uid/euid:5007/5007 gid/egid:5007/5007, parent /usr/sbin/apache2[apache2:1599] uid/euid:0/33 gid/egid:33/33 /var/log/apache2/error.log: Code: suexec policy violation: see suexec log for more details [Thu Aug 03 00:06:55.379360 2017] [fcgid:warn] [pid 1697] (104)Connection reset by peer: [client x.x.x.x:49978] mod_fcgid: error reading data from FastCGI server /var/log/apache2/suexec.log: Code: [2017-08-03 00:14:25]: (13)Permission denied: exec failed (.php-fcgi-starter) [2017-08-03 00:14:59]: uid: (5007/web4) gid: (5007/client2) cmd: .php-fcgi-starter [2017-08-03 00:14:59]: (13)Permission denied: exec failed (.php-fcgi-starter) [2017-08-03 00:15:12]: uid: (5007/web4) gid: (5007/client2) cmd: .php-fcgi-starter [2017-08-03 00:15:12]: (13)Permission denied: exec failed (.php-fcgi-starter) [2017-08-03 00:15:21]: uid: (5004/web1) gid: (5005/client1) cmd: .php-fcgi-starter [2017-08-03 00:15:21]: (13)Permission denied: exec failed (.php-fcgi-starter) [2017-08-03 00:15:42]: uid: (5004/web1) gid: (5005/client1) cmd: .php-fcgi-starter .php-fcgi-scripts permissions: Code: # ll /var/www/php-fcgi-scripts/web1/.php-fcgi-starter -rwxr-xr-x 1 web1 client1 1,1K mar 23/05/2017 15:55 /var/www/php-fcgi-scripts/web1/.php-fcgi-starter php-fcgi-scripts content: Code: # cat /var/www/php-fcgi-scripts/web1/.php-fcgi-starter #!/bin/sh PHPRC="/etc/php5/cgi/" export PHPRC PHP_DOCUMENT_ROOT="/var/www/clients/client1/web1" export PHP_DOCUMENT_ROOT # The variable PHP_FCGI_CHILDREN is onyl useful for lighty or nginx as apache # mod_fcgi will control the number of childs themself and never use the additional processes. # PHP_FCGI_CHILDREN=8 # export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=5000 export PHP_FCGI_MAX_REQUESTS export TMP=/var/www/clients/client1/web1/tmp export TMPDIR=/var/www/clients/client1/web1/tmp export TEMP=/var/www/clients/client1/web1/tmp exec /usr/bin/php-cgi \ -d open_basedir="/var/www/clients/client1/web1/web:/var/www/clients/client1/web1/private:/var/www/clients/client1/web1/tmp:/var/www/myhost.com/web:/srv/www/myhost.com/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin" \ -d disable_functions="" \ -d suhosin.executor.func.blacklist="" \ -d upload_tmp_dir=/var/www/clients/client1/web1/tmp \ -d session.save_path=/var/www/clients/client1/web1/tmp \ -d sendmail_path="/usr/sbin/sendmail -t -i -f [email protected]" \ $1 new grsec users inside /etc/groups Code: # cat /etc/group .... www-data:x:33: ispconfig:x:5004:www-data client1:x:5005:www-data client0:x:5006:www-data client2:x:5007:www-data mysyslog:x:999:mail,dovecot,daemon,dovenull,messagebus,mysql,ntp,postfix,root uuidd:x:101: input:x:117: memcache:x:124: grsec-tpe:x:64040: grsec-sock-all:x:64041: grsec-sock-clt:x:64042: grsec-sock-srv:x:64043: grsec-proc:x:64044: I'm not sure if this is a problem between grsec and the permissions given by ISPC, or if this is a problem of my present configuration. Maybe the grsec kernel is not recommended?. I'm with Debian Jessie 8.
ok. Well, at least is for sure the problem is with grsec because the same kernel 4.9.xx without grsec it works
