403 Forbidden when trying to get suexec+mod_fcgid working

403 Forbidden when trying to get suexec+mod_fcgid working - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: 403 Forbidden when trying to get suexec+mod_fcgid working (/thread-1786.html)

Pages: 1 2

403 Forbidden when trying to get suexec+mod_fcgid working - pgentoo - 11-14-2007 04:08 PM

Hey guys,

Just for reference, i'm running:
-Gentoo 2007.0
-Apache 2.2..6
-mod_fcgid-1.10

I'm trying to get all the gentoo configs cleaned up so the install works out of the box and i'm currently hung up on fcgid+suexec issues.

When set the FCGIWrapper to /var/www/fcgi/master/php5-fcgi-starter and enable suexec i get the following error in my suexec_log:

{{{[2007-11-11 17:08:15]: uid: (2000/vu2000) gid: (2000/2000) cmd: php5-fcgi-starter
[2007-11-11 17:08:15]: target uid/gid (2000/2000) mismatch with directory (0/0) or program (2000/2000)}}}

{{{~ # ls -la /var/www/fcgi/master/
total 8
drwxr-xr-x 4 root root 176 Nov 11 21:07 .
drwxr-xr-x 3 root root 72 Nov 11 16:06 ..
drwxr-xr-x 2 root root 72 Nov 11 16:06 php4
-rwxr-xr-x 1 vu2000 vu2000 203 Nov 11 21:30 php4-fcgi-starter
drwxr-xr-x 2 root root 72 Nov 11 16:06 php5
-rwxr-xr-x 1 vu2000 vu2000 203 Nov 11 21:30 php5-fcgi-starter
}}}

{{{~ # ls -la /var/www/ispcp/gui/
total 34
dr-xr-xr-x 12 vu2000 apache 504 Nov 11 16:56 .
drwxr-xr-x 7 vu2000 vu2000 168 Nov 11 16:06 ..
dr-xr-xr-x 3 vu2000 apache 1872 Nov 11 15:57 admin
dr-xr-xr-x 3 vu2000 apache 2232 Nov 11 15:57 client
dr-xr-xr-x 4 vu2000 apache 128 Nov 11 15:57 domain_default_page
dr-xr-xr-x 4 vu2000 apache 248 Nov 11 15:57 errordocs
-r--r--r-- 1 vu2000 apache 1886 Nov 11 21:19 favicon.ico
-r--r--r-- 1 vu2000 apache 1016 Nov 11 21:20 imagecode.php
dr-xr-xr-x 5 vu2000 apache 976 Nov 11 15:57 include
-r--r--r-- 1 vu2000 apache 3004 Nov 11 21:20 index.php
-r--r--r-- 1 vu2000 apache 4508 Nov 11 21:20 lostpassword.php
dr-xr-xr-x 3 vu2000 apache 264 Nov 11 15:57 orderpanel
drwxr-xr-x 3 vu2000 apache 152 Nov 11 16:52 phptmp
dr-xr-xr-x 3 vu2000 apache 1568 Nov 11 15:57 reseller
-r--r--r-- 1 vu2000 apache 43 Nov 11 21:20 robots.txt
-r--r--r-- 1 vu2000 apache 20 Nov 11 16:56 test.php
dr-xr-xr-x 5 vu2000 apache 136 Nov 11 15:57 themes
dr-xr-xr-x 6 vu2000 apache 184 Nov 11 15:57 tools
}}}

Anyone have any ideas on what the issue is here? I would like to get this fixed, so I can run through and verify the other changes I've made and check in my updated configs.

Thanks,
Jesse

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - achioo - 11-15-2007 12:45 AM

chown your php5 directory in your master folder to be that of your vu2000

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - pgentoo - 11-15-2007 02:55 AM

achioo Wrote:chown your php5 directory in your master folder to be that of your vu2000

Thanks for the idea. I messed around with my folder permissions/ownership before but it looks like I always had at least one thing incorrect each time. It appears that the magic trick to get this working was to chown /var/www/fcgi/master folder itself as vu2000:vu2000.

This was how it was after running the installation script. Can someone chime in with where change need to be made to correctly chown the directory?

Thanks,
Jesse

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - jmeyerdo - 11-15-2007 03:02 AM

pasichnyk Wrote:This was how it was after running the installation script. Can someone chime in with where change need to be made to correctly chown the directory?

I remember the same problem with my CentOS-installation.
Is this a general bug or is it distro-dependent?

Kind regards, Jens

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - pgentoo - 11-15-2007 03:11 AM

jmeyerdo Wrote:
pasichnyk Wrote:This was how it was after running the installation script. Can someone chime in with where change need to be made to correctly chown the directory?

I remember the same problem with my CentOS-installation.
Is this a general bug or is it distro-dependent?

Kind regards, Jens

I don't believe ispcp-setup has any distro specific code in it (that should be done via the configs/dist folder right?

I would guess that this is a system wide issue. I can file a bug against it, but would much rather have a working patch to provide as well. Smile

If anyone has a patch for this, or can point me to where it needs to be changed, please let me know.

Personally, i think we need to add a chown into: setup_php_master_user_dirs() in the ispcp-setup script... Just after we create the master/php4 and master/php5 directories.

-
Jesse

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - pgentoo - 11-15-2007 03:24 AM

How about adding this to the setup_php_master_user_dirs():

my $master_username = $main::cfg{'APACHE_SUEXEC_USER_PREF'}$main::cfg{'APACHE_SUEXEC_MIN_UID'};
my $master_groupname = $main::cfg{'APACHE_SUEXEC_USER_PREF'}$main::cfg{'APACHE_SUEXEC_MIN_GID'};

$cmd = "$main::cfg{'CMD_CHOWN'} $master_username:$master_groupname $starter_dir/master";
$rs = sys_command($cmd);
return $rs if ($rs != 0);

I haven't tested this yet, but I believe it should work... Smile

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - jmeyerdo - 11-15-2007 03:32 AM

pasichnyk Wrote:Personally, i think we need to add a chown into: setup_php_master_user_dirs() in the ispcp-setup script... Just after we create the master/php4 and master/php5 directories.

As I remember the error occured only with the master-domain - not for all new created domains, isn't it?
In this case you have to check the install-script:
/var/www/ispcp/engine/setup/ispcp-setup

I am not really sure about the correct line. But I would assume this is not hard for one of the developers. ;-)

Kind regards, Jens

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - pgentoo - 11-15-2007 04:58 AM

Actually,

I ended up with:

my $master_username = "$main::cfg{'APACHE_SUEXEC_USER_PREF'}$main::cfg{'APACHE_SUEXEC_MIN_UID'}";
my $master_groupname = "$main::cfg{'APACHE_SUEXEC_USER_PREF'}$main::cfg{'APACHE_SUEXEC_MIN_GID'}";

my $cmd = "$main::cfg{'CMD_CHOWN'} $master_username:$master_groupname $starter_dir/master";
$rs = sys_command($cmd);
return $rs if ($rs != 0);

This appears to work fine. Can one of the devs confirm that this is the correct thing to do to fix this issue? I don't want to create some other problem (security?) by making this change to the installer.

Thanks,
Jesse

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - RatS - 11-15-2007 07:53 PM

It looks like a bug. master-folder has to have first UID-User and -Group (normally 2000). I'll fix it. Thank you for your tests pasichnyk

RE: 403 Forbidden when trying to get suexec+mod_fcgid working - pgentoo - 11-16-2007 02:03 AM

RatS Wrote:It looks like a bug. master-folder has to have first UID-User and -Group (normally 2000). I'll fix it. Thank you for your tests pasichnyk

RatS,

In case you need it, I've attached my patch for the permissions change. This also includes a change to do a search/replace on 00_master.conf for {PHP_VERSION} to properly support running the site with php4-fcgi-starter or php5-fcgi-starter. Please see attached.

Thanks,
Jesse