SuExec

I am using drupal to configure a multi-site environment.

The thing is the codebase is same (that's why I am using drupal) but
different sites have to be configured on it.

I want to run different sites on different users because the users
should not exceed their file size quota. Drupal codebase is an exception
to it.

They should not be able to use the default site's /files directory but
/sites//files

Any ideas ?

According to suExec docs, target file must be owned by the user and
group specified in SuExecUserGroup directive. But this is not possible here.

/srv/htdocs/main (drupal codebase) is owned by www:www

--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: SuExec

> They should not be able to use the default site's /files directory but
> /sites//files
>=20
> Any ideas ?
>=20
> According to suExec docs, target file must be owned by the user and
> group specified in SuExecUserGroup directive. But this is not possible he=
re.
>=20
> /srv/htdocs/main (drupal codebase) is owned by www:www
>=20

You might want to check out suphp. We that might be a little more useful f=
or the drupal install. We use it for some wordpress installs to the someth=
ing similar.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

On 02/03/2010 12:11 PM, Gary Smith wrote:
>> They should not be able to use the default site's /files directory but
>> /sites//files
>>
>> Any ideas ?
>>
>> According to suExec docs, target file must be owned by the user and
>> group specified in SuExecUserGroup directive. But this is not possible here.
>>
>> /srv/htdocs/main (drupal codebase) is owned by www:www
>>
>
> You might want to check out suphp. We that might be a little more useful for the drupal install. We use it for some wordpress installs to the something similar.
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

No, I'm using FastCGI. I don't want to load any PHP module inside apache
as FastCGI gives much better performance.

--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

> On 02/03/2010 12:11 PM, Gary Smith wrote:
>>> They should not be able to use the default site's /files directory but
>>> /sites//files
>>>
>>> Any ideas ?
>>>
>>> According to suExec docs, target file must be owned by the user and
>>> group specified in SuExecUserGroup directive. But this is not
>>> possible here.
>>>
>>> /srv/htdocs/main (drupal codebase) is owned by www:www
>>>
>>
>> You might want to check out suphp. We that might be a little more
>> useful for the drupal install. We use it for some wordpress installs
>> to the something similar.
>>
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> No, I'm using FastCGI. I don't want to load any PHP module inside
> apache as FastCGI gives much better performance.
>
Hi,

Maybe this howto can help you.
http://www.howtoforge.com/how-to-set-up-apache2-with-mod_fcg id-and-php5-on-opensuse-11.2
http://httpd.apache.org/mod_fcgid/


Thomas


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

On 02/03/2010 01:09 PM, Thomas Antony wrote:
>
>> On 02/03/2010 12:11 PM, Gary Smith wrote:
>>>> They should not be able to use the default site's /files directory but
>>>> /sites//files
>>>>
>>>> Any ideas ?
>>>>
>>>> According to suExec docs, target file must be owned by the user and
>>>> group specified in SuExecUserGroup directive. But this is not
>>>> possible here.
>>>>
>>>> /srv/htdocs/main (drupal codebase) is owned by www:www
>>>>
>>>
>>> You might want to check out suphp. We that might be a little more
>>> useful for the drupal install. We use it for some wordpress installs
>>> to the something similar.
>>>
>>>
>>> ------------------------------------------------------------ ---------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>> No, I'm using FastCGI. I don't want to load any PHP module inside
>> apache as FastCGI gives much better performance.
>>
> Hi,
>
> Maybe this howto can help you.
> http://www.howtoforge.com/how-to-set-up-apache2-with-mod_fcg id-and-php5-on-opensuse-11.2
>
> http://httpd.apache.org/mod_fcgid/
>
>
> Thomas
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

You're not getting my point. Currently the thing is setup using
mod_fastcgi (fastcgi.com).

The drupal codebase is located at /srv/htdocs/main

itech7.com is the default site and /srv/htdocs/main is its docroot.

I have another domain whose docroot is also same, but drupal
configuration makes it a different site (/srv/htdocs/main/sites//

Now if index.php is requested, it is loaded from
/srv/htdocs/main/index.php and so for all other files.

/srv is owned by www:www

Now when I browse my new domain, I want that it is run by some other
user foo:foo so that /srv/htdocs/main/files (itech7.com's cache, files,
etc.) is not writeable by the new install.

But it is not working. SuExec wrapper is loaded, but index.php is being
run by www:www instead of newuser.

--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

Okay, I have now a different setup. After a lot of researching on
Google, I concluded that it is not possible to do what I wanted.

Now I have a common drupal codebase located at /srv/htdocs/drupal

I am using this kind of setup - http://drupal.org/node/124268

Only difference being all user directories are at /srv/htdocs as suexec
docroot is /srv.

Now the problem is FastCGI. FastCGISuexec has been configured.

at /srv/cgi-bin, a shell script called php-cgi (the wrapper) is there
owned by www:www.

When I want to execute php files in /srv///public/file.php
then it suexec log says - "target uid/gid (500/500) mismatch with
directory (501/501) or program (501/501)"

500 is the user, 501 is www.

What's the solution for this ?

--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

i think you can do what you want. create several wrapper "php-cgi"
scripts each in its own directory and for all of them it and that
directory of it should be with both user and group = user of it (and
wrapper script should be executable). drupal php files can be owned by
any user and group.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

>
> Now I have a common drupal codebase located at /srv/htdocs/drupal
>
> I am using this kind of setup - http://drupal.org/node/124268
>
> Only difference being all user directories are at /srv/htdocs as
> suexec docroot is /srv.
>
> Now the problem is FastCGI. FastCGISuexec has been configured.
>
> at /srv/cgi-bin, a shell script called php-cgi (the wrapper) is there
> owned by www:www.
>
> When I want to execute php files in /srv///public/file.php
> then it suexec log says - "target uid/gid (500/500) mismatch with
> directory (501/501) or program (501/501)"
>
> 500 is the user, 501 is www.
>
> What's the solution for this ?
>

Hi,

Maybe the documentation for suEXEC Security Model will help you.
http://httpd.apache.org/docs/2.2/suexec.html


Thomas

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

--0016e648f370b6a130047eb6d8f8
Content-Type: text/plain; charset=UTF-8

On Wed, Feb 3, 2010 at 10:03 AM, Thomas Antony wrote:

>
>
>
>> Now I have a common drupal codebase located at /srv/htdocs/drupal
>>
>> I am using this kind of setup - http://drupal.org/node/124268
>>
>> Only difference being all user directories are at /srv/htdocs as suexec
>> docroot is /srv.
>>
>> Now the problem is FastCGI. FastCGISuexec has been configured.
>>
>> at /srv/cgi-bin, a shell script called php-cgi (the wrapper) is there
>> owned by www:www.
>>
>> When I want to execute php files in /srv///public/file.php
>> then it suexec log says - "target uid/gid (500/500) mismatch with directory
>> (501/501) or program (501/501)"
>>
>> 500 is the user, 501 is www.
>>
>> What's the solution for this ?
>>
>>
> Hi,
>
> Maybe the documentation for suEXEC Security Model will help you.
> http://httpd.apache.org/docs/2.2/suexec.html
>
>
> Thomas
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
I understand the need for this but I just wanted to note that I've tried
being a shell user in a suexec environment and it really sucks. Get ready
for lots of support calls.

--0016e648f370b6a130047eb6d8f8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Re: SuExec

On 02/03/2010 09:55 PM, dinar qorbanof wrote:
> i think you can do what you want. create several wrapper "php-cgi"
> scripts each in its own directory and for all of them it and that
> directory of it should be with both user and group = user of it (and
> wrapper script should be executable). drupal php files can be owned by
> any user and group.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

I'm doing the same here.

Here's my config (in httpd.conf):

------------------------------------------------------------ -----------

FastCgiSuexec bin/suexec

FastCgiConfig -singleThreshold 1 -minProcesses 2 -maxProcesses 10
-maxClassProcesses 5 -autoUpdate -idle-timeout 180 -pass-header
HTTP_AUTHORIZATION

AddHandler fastcgi-script .fcgi

Include conf/extra/php.conf

In php.conf -

DirectoryIndex index.html index.php

AddType text/html .php

AddHandler php-fastcgi .php



Options +ExecCGI



In VHOST-

SuexecUserGroup user group

ScriptAlias /cgi-bin/ /path-to-cgi-bin/



Order allow,deny

Allow from All

SetHandler fastcgi-script



Action php-fastcgi /cgi-bin/php.fcgi

In php.fcgi-

#!/bin/bash

exec /usr/local/bin/php-cgi $@

---------------------------------------------

But this shows me a blank page. The same code is being used by many
people as written on their blogs when I searched on Google. How come
doesn't work here ?

--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SuExec

Please ignore my previous message. I was going nuts due to this and I
think I didn't see the "FOO" in elinks.

Its working properly now.

--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org