Apache suexec problem

unksi · 08-17-2009, 10:34 PM

This is on a FreeBSD 7.2 system with Apache 2.2.11 and PHP 5.2.10.

What is tried to set up, is a virtual host to Apache, serving pages for a set domain with dropped user privileges for the user owning the site.

When set up from ISPmanager, it creates a config that looks valid, and the website works right when accessed from the set domain. However, it does not drop the privileges to the user, but stays executed as as user 'www' as set in the system-wide config.

In the virtualhost config, it is set as 'SuexecUserGroup user group', which seems right to me. However, Apache is not able to access/write the files unless those rights are set for everyone, not just the user/group. Phpinfo() also indicates that the virtual host is run as www/www.

The Apache suexec logfile also does not indicate that any of the setup virtual hosts have been suexec'd.

Any ideas on this?

sad · 08-18-2009, 03:35 AM

SuExec doesn't work on PHP as Module. This setting works only for CGI applications. PHP as CGI for example. Apache-mpm-itk will help you.

For FreeBSD:

Code:

# cd /usr/ports/www/apache22
# echo "WITH_MPM=ITK" > Makefile.local
# make config (disable IPv6, enable mod_suexec) 
# make
# make deinstall reinstall

Also you need to add "Option ApacheMPM" to the ispmanager config (/usdr/local/ispmgr/etc/ispmgr.conf) and restart panel (killall ispmgr)

Next for all early created sites you need to change SuexecUserGroup on AssignUserID and restart apache.

unksi · 08-18-2009, 11:57 AM

That made it work, thank you!

08-17-2009, 10:34 PM	#1
unksi Junior Member Join Date: Aug 2009 Posts: 17	Apache suexec problem This is on a FreeBSD 7.2 system with Apache 2.2.11 and PHP 5.2.10. What is tried to set up, is a virtual host to Apache, serving pages for a set domain with dropped user privileges for the user owning the site. When set up from ISPmanager, it creates a config that looks valid, and the website works right when accessed from the set domain. However, it does not drop the privileges to the user, but stays executed as as user 'www' as set in the system-wide config. In the virtualhost config, it is set as 'SuexecUserGroup user group', which seems right to me. However, Apache is not able to access/write the files unless those rights are set for everyone, not just the user/group. Phpinfo() also indicates that the virtual host is run as www/www. The Apache suexec logfile also does not indicate that any of the setup virtual hosts have been suexec'd. Any ideas on this?

08-18-2009, 03:35 AM	#2
sad ISPsystem team Join Date: Oct 2006 Location: Irkutsk, Baikal Posts: 25	SuExec doesn't work on PHP as Module. This setting works only for CGI applications. PHP as CGI for example. Apache-mpm-itk will help you. For FreeBSD: Code: # cd /usr/ports/www/apache22 # echo "WITH_MPM=ITK" > Makefile.local # make config (disable IPv6, enable mod_suexec) # make # make deinstall reinstall Also you need to add "Option ApacheMPM" to the ispmanager config (/usdr/local/ispmgr/etc/ispmgr.conf) and restart panel (killall ispmgr) Next for all early created sites you need to change SuexecUserGroup on AssignUserID and restart apache.