OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[users@httpd] Re: mod_suexec with mod_userdir and fcgid (webapps in subdirs with separated user context)


Hello again,

maybe my previous mail was to verbose, or maybe simply nobody has an
idea. Still I'd like to give it a second try:

Do you have a good idea why php-cgi7.0 throws the following error when
used with mod_fcgid, mod_usermod and mod_suexec?

uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter cannot get
docroot information (/var/www/webapp1)

$ ls -al /var/www/webapp1
drwxr-xr-x 9 root root 4096 Jun 29  2014 .
drwxr-x---  2 webapp1 webapp1  4096 Nov  7 15:14 php-fcgi
drwxr-x---  2 webapp1 webapp1  4096 Apr 11  2015 www
[...]

The same setup works perfectly fine without mod_usermod (i.e. when the
whole VHost has a dedicated suexec user). Only with mod_usermod, we get
this strange error.

Cheers,
 jonas

Am 15.04.2018 um 12:26 schrieb Jonas Meurer:
> Hello list,
> 
> I try to make web applications available in subfolders of one
> VirtualHost, but each one in an isolated user context. All web apps are
> PHP applications and I use mod_fcgid to run them.
> 
> Unfortunately, SuexecUserGroup is not not allowed in Directory context,
> which would be by far the simples solution.
> 
> So to achieve my goal, I tried (and failed with) two different approaches:
> 
> 1. Using mod_userdir together with mod_suexec
> 2. ProxyPass to separate localhost vhosts for each app
> 
> Since the first approach seems much cleaner and more straight forward to
> me, I'd prefer that one.
> 
> Maybe you have other suggestions on how to achieve my goal?
> 
> ---
> 
> Now to the problem I ran into with my first approach:
> 
> I have UserDir enabled for system user 'webapp1' and the UserDir path
> set to '/var/www/*/www' (see the VirtualHost config below). This works
> as expected, I can access static content from within the UserDir.
> 
> Additionally, I have fcgid configured for the UserDir and apparently the
> php scripts are executed using suexec and php-cgi7.0. A suexec process
> is spawned by user 'webapp1' when requesting a php file, but it
> immediately turns into 'suexec <defunct>' (a zombie process).
> 
> In the apache2 error log shows:
> 
> uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter
> cannot get docroot information (/var/www/webapp1)
> 
> And the apache2 suexec log:
> 
> [fcgid:warn] [pid 30884:tid 140484201527040] (104)Connection reset by
> peer: [client 192.168.0.1:31937] mod_fcgid: error reading data from
> FastCGI server
> [core:error] [pid 30884:tid 140484201527040] [client 192.168.0.1:31937]
> End of script output before headers: index.php
> 
> 
> I double checked that all files under /var/www/webapp1 belong to
> user+group 'webapp1' and that they're accessible. I even recursively set
> world-readable permissions on the directory, which didn't change anything.
> 
> Do you have a good idea on why running php-cgi7.0 through fcgi with
> suexec and userdir results in this suexec error 'cannot get docroot
> information'?
> 
> Any hints and suggestions would be highly appreciated :)
> 
> The VirtualHost config (my current take) is as follows:
> 
> <VirtualHost *:443>
>     [...]
>     Userdir disabled
>     Userdir enabled webapp1
>     UserDir /var/www/*/www
> 
>     <IfModule fcgid_module>
>         <Directory /var/www/webapp1/www>
>             AddHandler fcgid-script .php
>             FCGIWrapper /var/www/webapp1/php-fcgi/php-fcgi-starter .php
>             Options +ExecCGI
>         </Directory>
> 
>         IPCConnectTimeout 20
>         IPCCommTimeout 60
>         FcgidBusyTimeout 60
>         MaxRequestLen 10485760
>     </IfModule>
> </VirtualHost>
> 
> 
> Looking forward to your responses.
> 
> Kind regards,
>  jonas
> 


Attachment: signature.asc
Description: OpenPGP digital signature