suexec-custom is not working correctly: only reading the www-data user config file.
For some security and performance testing on PHP we installed a new webserver with ubuntu 10.04 LTS.
One of the goals is to run a custom php5 ini based on the user, I installed following stack:
The first testing user is called rootweb, his apache config is the following:
ServerName rootweb.test (=> modification of /etc/hosts file on the client for testing)
ScriptAlias /cgi-bin/ /home/rootweb/
Options +ExecCGI -MultiViews +SymLinksIfOwne
Allow from all
As you can see, the user has a homedrive of '/home/rootweb', in this homedrive you have the folder called 'public' that is accessible by ftp (for uploading) and http. Then we have a folder 'cgi-bin', here we have the fastcgi php5 wrapper.
The suexec user and group are rootweb.
Currently the wrapper is very easy:
Now as this wrapper is outside of the document root (we cannot put it in, otherwise users are able to modify the php ini's) I should make an exception on suexec security, with suexec-custom I should be able to create a per user file with the user's cgi-bin.
Now the problem I ran into is that suexec-custom only seems to read the www-data user config, even with the above configured suexec user & group rootweb. If I dont create a www-data file I get following error:
[2011-11-14 14:04:40]: User www-data not allowed: Could not open config file /etc/apache2/
[2011-11-14 14:04:45]: User www-data not allowed: Could not open config file /etc/apache2/
If I create this www-data config file with following config all works fine and php is running as the user 'rootweb':
But that looks for me not the idea behind this module (for me it looks like a bug) and would force me to put the complete '/home' directory in the file (security issue).
Thanks for reading.
|visibility:||private → public|
|Changed in apache2 (Ubuntu):|
|importance:||Undecided → Medium|
|security vulnerability:||yes → no|