Hi everybody - it´s monday and the problems are with me, again Is there a - practicable - way to give apache/mod_php write access to the users public web directorys? I have to make the users public web directories write accessible for wwwrun (or www-data). With the default ISPconfig installation (Suse10, perfect setup) that is´nt possible (or I´m wrong?). So I made following changes and it works: Add user wwwrun to the web10-group Code: groupmod --add-user wwwrun web10 make web10-dir writeable for all group members Code: chmod 775 /home/www/web10 make web-dir writeable for everybody Code: chmod 777 /home/www/web10/web (actual it should be enough to give 775 - but it isn´t and I dont understand why - but for the asked problem I will ignore this at this time) That works - but isnt very smart of course. At last it is now very unsecure to give users shell access because all users would have write access to the directories from the other users But that is for me the smaller problem, so would´nt give shell access. Now I would go to patch the ispconfig scripts which create the users directories and would set the above values with chmod/chown and so on. So my questions: - which ISPConfig script/s I have to patch? - is there another way to give write access to the public dirs? thanks in advance!
something I forgot - these solutions are working, I know, but they´re would be a compromise only: - to run the php script as cgi (additional to the mod_php) is not the preferred solutions - http://www.suphp.org is there another solution?
The xript is /root/ispconfig/scripts/lib/config.lib.php. Look at the function make_docroot() (around line 966).
Thank you Falko - I think I first check out su_php. If that do not work I like, I´ll patch the file (but probably it will ...) If somebody else could use this info: the two rows on line 1083 should be changed from Code: exec("chown -R [B]$apache_user[/B]:web$doc_id $web_path_realname &> /dev/null"); exec("chown -R [B]$apache_user[/B]:web$doc_id $web_path &> /dev/null"); to Code: exec("chown -R [B]wwwrun[/B]:web$doc_id $web_path_realname &> /dev/null"); exec("chown -R [B]wwwrun[/B]:web$doc_id $web_path &> /dev/null"); sometimes wwwrun is www-data - check this out before! This is not tested! there is a very strange thing I observed: is there any process that checks every 1-2 minutes the file owners in /home/www and makes changes on it? I added one user manually with useradd, this user has now the uid 10028 (this is the highest number in /etc/passwd but not the last entry). Now, a web directory /www/web22 is being permanently changed to xyz.web22 (where xyz is the user with uid 10028). All other dirs in /www are untouched. (the /www/web22 directory is the second last web, so the last is web23) Do you know what this could be?
$apache_user contains the Apache user - in your case wwwrun, so there's no need to change this. By default ISPConfig creates users with UIDs above 10000. When you add users manually, you should use UIDs below 10000. What happened on your system is this: You created users with ISPConfig up to the UID 10027. Then you added a user manually; because you did not specify a certain UID, the user got the UID 10028. Then you created the next user in ISPConfig. Because ISPConfig doesn't know that you created another user manually in the meantime, the new user gets the UID 10028. And voilà, you have two users with conflicting UIDs. You should assign another UID (below 10000) to your manually created user.
mhmh, then its even more strange on my system - the web-directories in /home/www are owned by the user with administrator-Checkbox in User&Email-Settings. Directories created by ISPconfig without any changes from me (I did´nt patched the config.lib.php file) are like this: Code: drwxr-xr-x 10 web18_stefan web18 4.0K Feb 3 15:17 web18/ drwxr-xr-x 10 web18_stefan web18 4.0K Feb 3 15:17 www.XYZ.de/ If I deselect the admin-Checkbox the file owner changes immediately to Code: drwxr-xr-x 10 root web18 4.0K Feb 7 09:51 web18/ drwxr-xr-x 10 root web18 4.0K Feb 7 09:51 www.XYZ.de/ If now selected another user as admin the file owner changes again Code: drwxr-xr-x 10 web18_test2 web18 4.0K Feb 7 09:55 web18/ drwxr-xr-x 10 web18_test2 web18 4.0K Feb 7 09:55 www.XYZ.de/ So there´s is no wwwrun user set and without set any admin-checkox root is owner of the dirs (but that seems to be correct?!) Setting wwwrun as as the owner of alle files by ISPConfig-default would be solve all my problems How can I make that? Or whats going wrong there? (the perfect setup was installed fine on a brandnew suse10-OS, all default, no errors, no strange things) thanks! That´s it. I changed the uid manually in /etc/passwd. After exiting vi the owner from this one directory was already fixed. Now I remember that somewhere I read this thing with the uid upper than 10000
That's the way it is intended. If a web site has an admin, then the admin owns these directories. If there's no admin, then the directories should be owned by the Apache user. root is not ok. Then something's strange on your system... You can change the code and hard-code wwwrun into it.
I changed the code to wwwrun on a few positions around line 1081, in make_docroot() with no result. Even if wwwrun is hardcoded, e.g. set as Code: $apache_user = "wwwrun"; #$this->apache_user; (and a few other similar positions) this has no effect. File owner will be set as root, like described above - Is there any debug mode to help to check out for me this problem? - Which file permissions /home and /home/www has to be set? (/home=root.root+755 and /home/www=root.www+775 is on my system) - wwwrun is a member from group www and has nothing to to with the admispconfig-user in /etc/passwd and /etc/groups - is that correct? Thank you very much in advance for any hints!
No... Further down the function you have an $owner variable and some more chown commands. Have a look at these. That's ok. That's also ok.
Hi Falko I found the "root" the code in /root/ispconfig/scripts/lib/config.lib.phpin function apache_user(), Line 1777If I put in a hardcoded wwwrun all file permissions will be ok. Code: function apache_user(){ global $mod; $httpd_conf = $mod->system->server_conf["dist_httpd_conf"]; $includes = $mod->file->find_includes($httpd_conf); $anz_includes = sizeof($includes); for($i=0;$i<$anz_includes;$i++){ $includes[$i] = $mod->file->unix_nl($mod->file->no_comments($includes[$i])); if($line = $mod->system->grep($includes[$i], "User", "w")){ $lines = explode("\n", $line); $line = $lines[0]; $line = trim($line); while(strstr($line, " ")){ $line = str_replace(" ", " ", $line); } list($f1, $apache_user) = explode(" ", $line); $apache_user = trim($apache_user); $i = $anz_includes; } } [COLOR="Red"]# st2xo: $apache_user is nowhere set in this function...[/COLOR] if(isset($apache_user) && $mod->system->is_user($apache_user)){ [COLOR="Red"]# ... so this never will be returned[/COLOR] return $apache_user; } else { [COLOR="Red"]# ... and root will be returned in every case[/COLOR] return "root"; } } How will be the variable $apache_user set in the function apache_user()? I think there is a global $apache_user or something like that missing. Or I´am completely wrong now?
The function searches for the line that begins with "User" in all you apache config files and returns the name of the user. Maybe the user is not set correctly in your apache config. There is no global statement for the variable $apache_user missing.
In this part: PHP: for($i=0;$i<$anz_includes;$i++){ $includes[$i] = $mod->file->unix_nl($mod->file->no_comments($includes[$i])); if($line = $mod->system->grep($includes[$i], "User", "w")){ $lines = explode("\n", $line); $line = $lines[0]; $line = trim($line); while(strstr($line, " ")){ $line = str_replace(" ", " ", $line); } list($f1, $apache_user) = explode(" ", $line); $apache_user = trim($apache_user); $i = $anz_includes; } } the function looks in the Apache configuration and all the included configuration files for something like Code: User wwwrun If it finds that line, it removes User in front so that wwwrun is remaining.
Hi till and falko - hehe, that looks smart! what apache files would be grepped by: Code: $includes[$i] = $mod->file->unix_nl($mod->file->no_comments($includes[$i])); in my complete /etc/apache2/* the only match to "wwwrun" is uid.conf (is 644) Code: more /etc/apache2/uid.conf: User wwwrun Group www Are there some other files grepped for "user" and one match gives a blank line? Could that be? Are there other files grepped except uid.conf? Perhaps the other condition than $apache_user is not set and so root is returned? Code: if(isset($apache_user) && $mod->system->is_user([COLOR="Blue"]$apache_user[/COLOR])){ return $apache_user; } else { return "root"; } $mod depends on Code: [I]/root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php[/I] function is_user([COLOR="Blue"]$user[/COLOR]){ global $mod; $user_datei = $this->server_conf["passwd_datei"]; $users = $mod->file->no_comments($user_datei); $lines = explode("\n", $users); if(is_array($lines)){ foreach($lines as $line){ if(trim($line) != ""){ list($f1, $f2, $f3, $f4, $f5, $f6, $f7) = explode(":", $line); if([COLOR="Red"]$f1[/COLOR] == [COLOR="Blue"]$user[/COLOR]) return true; } } } return false; } so, if wwwrun is correctly given by uid.conf and then is_user() is called - what should then be checked in is_user() ? I guess $user_datei is at last /etc/passwd and the exploding ":" returns "wwwrun" - which is then equal to is_user($user) my /etc/passwd and /etc/groups contents wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false www:x:8:wwwrun Seem´s to be ok. Or am I completely in a wrong way?
The function searches in all files included in your main Apache configuration file. Does the column dist_httpd_conf in the isp_server table in the ISPConfig database contain your correct Apache configuration file? Yes, that function checks /etc/passwd, and if wwwrun is in there, then it's fine.
the column contains /etc/apache2/httpd.conf and that is the used file (which was edited by myself, it´s not the default ISPConfig-file!) The other cols seem to be allright (www,wwwrun, /etc/*-files, etc.), all data is valid.
Hi Falko, here´s the data: Code: n05:~ # ls -l /etc/apache2/httpd.conf -rw-r--r-- 1 root root 10044 Feb 9 21:13 /etc/apache2/httpd.conf Code: n05:~ # httpd -V Server version: Apache/2.0.54 Server built: Sep 9 2005 18:32:43 Server's Module Magic Number: 20020903:9 Architecture: 32-bit Server compiled with.... -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT="/srv/www" -D SUEXEC_BIN="/usr/sbin/suexec2" -D DEFAULT_PIDLOG="/var/run/httpd2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="/var/run/accept.lock" -D DEFAULT_ERRORLOG="/var/log/apache2/error_log" -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" -D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf" thanks!
The output is ok. Can you find the line Code: User wwwrun in /etc/apache2/httpd.conf or any of the included files?
yes, in /etc/apache/uid.conf: Code: n05:/etc/apache2 # more uid.conf User wwwrun Group www An uid.conf ist included in httpd.conf (I checked it)
Strange... Maybe you can debug the function by putting echo statements into it or let it write some output to a file that you can check afterwards...