suexec-custom is not working correctly: only reading the www-data user config file.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Won't Fix
|
Medium
|
farhan saleh robleh |
Bug Description
For some security and performance testing on PHP we installed a new webserver with ubuntu 10.04 LTS.
One of the goals is to run a custom php5 ini based on the user, I installed following stack:
apache2-
apache2-mpm-worker: 2.2.14-5ubuntu8.7
php5-cgi: 5.3.2-1ubuntu4.10
The first testing user is called rootweb, his apache config is the following:
root@hosting1:
<VirtualHost *:80>
ServerAdmin webmaster@rootweb
ServerName rootweb.test (=> modification of /etc/hosts file on the client for testing)
DocumentRoot /home/rootweb/
ScriptAlias /cgi-bin/ /home/rootweb/
<Directory "/home/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwne
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
root@hosting1:
As you can see, the user has a homedrive of '/home/rootweb', in this homedrive you have the folder called 'public' that is accessible by ftp (for uploading) and http. Then we have a folder 'cgi-bin', here we have the fastcgi php5 wrapper.
The suexec user and group are rootweb.
Currently the wrapper is very easy:
root@hosting1:
#!/bin/sh
PHPRC=/
export PHPRC
export PHP_FCGI_
export PHP_FCGI_CHILDREN=8
exec /usr/lib/
root@hosting1:
Now as this wrapper is outside of the document root (we cannot put it in, otherwise users are able to modify the php ini's) I should make an exception on suexec security, with suexec-custom I should be able to create a per user file with the user's cgi-bin.
Now the problem I ran into is that suexec-custom only seems to read the www-data user config, even with the above configured suexec user & group rootweb. If I dont create a www-data file I get following error:
[2011-11-14 14:04:40]: User www-data not allowed: Could not open config file /etc/apache2/
[2011-11-14 14:04:45]: User www-data not allowed: Could not open config file /etc/apache2/
If I create this www-data config file with following config all works fine and php is running as the user 'rootweb':
root@hosting1:
/home/rootweb
cgi-bin
root@hosting1:
But that looks for me not the idea behind this module (for me it looks like a bug) and would force me to put the complete '/home' directory in the file (security issue).
Thanks for reading.
visibility: | private → public |
Changed in apache2 (Ubuntu): | |
importance: | Undecided → Medium |
security vulnerability: | yes → no |
Changed in apache2 (Ubuntu): | |
assignee: | nobody → farhan saleh robleh (farhn) |
What you want to achieve is out of scope of apache2- suexec- custom. The filename in /etc/apache2/suexec is the name of the run user of apache2, i.e. whatever is specified as 'User' in /etc/apache2/ apache2. conf. Or put it differently, that's the user suexec changes from, while SuexecUserGroup specifies the user suexec changes to.
This is described in the suexec man page, but I guess the description could be more clear.