php5-cgi not working with suphp in Hardy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
Undecided
|
Unassigned | ||
suphp (Debian) |
Fix Released
|
Unknown
|
|||
suphp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Suphp doesn't work in Hardy. It seems that it is simply ignored and php processes are executed under www-data.
It was working fine under Gutsy. I dist-upgraded a month ago but I discovered the problem only recently (because one of my website was unable to read a config file chmoded to 700). I'm pretty sure it's the dist-upgrade because the suphp log stopped the day I dist-upgraded (approximately at least).
I didn't change anything in the config in the meantime. Also, when investigation the problem, I copied /etc/apache2 /etc/php5 and /etc/suphp from a working Debian installation. It doesn't work under Hardy.
The symptoms are the following :
1) if mod_php5 is enabled, processes run with www-data permissions. phpinfo() returns "Apache 2.0 Handler " as the server API. (when suphp is working, it returns "Cgi/FastCgi" AFAIK
2) if mod_php5 is not enabled, you will receive an error 500. The logs contain the following lines :
[Wed Jul 30 14:31:55 2008] [error] [client 212.190.219.18] SecurityException in Application.
[Wed Jul 30 14:31:55 2008] [error] [client 212.190.219.18] Caused by KeyNotFoundExce
[Wed Jul 30 14:31:55 2008] [error] [client 212.190.219.18] Premature end of script headers: index.php
If both suphp and php5 are disabled, then your browser offers you to download the file (which is normal).
Also, it has to be noted that suphp is well active because if you try to access a software not in the defined root, you will get an error in the logs. So, it seems like the problem is not suphp but the cgi part of php5 which is not responding or something like that.
I'm not an expert so I'm not sure about the where to assign this issue.
CVE References
Changed in suphp: | |
status: | Unknown → New |
Changed in suphp: | |
status: | New → Confirmed |
Changed in suphp (Debian): | |
status: | Unknown → Fix Released |
In fact, it seems that, unlike in Debian, libapache2-mod-php5 takes precedence over suphp. It means that you cannot install both and use suphp only on specific locations because mod-php5 will be called.
In Debian, this is not the case.