Beginner security issue

[scottthepotter]

I am trying to allow customers to install a content management system such as Joomla. However I end up having to go in and change all file ownerships to 'apache' and group to 'apache'. Installing under their 'ftpuser' account doesn't seem to give all of the scripts the proper rights. What is the solution?

 

[lvalics]

Solution is mod_suphp, see our how to for setup ... also our Power Toys can helo you as GUI.

 

[scottthepotter]

Thanks

Thanks, I purchased the powertoys and I am in the process of installing and configuring suPHP. I had looked into suexec which is already installed, but the documentation appeared to be a bit foreboding to me.

 

[lvalics]

you need to disable for start the mod_suphp then enable it per domains. Where you are stucked?

 

[scottthepotter]

Sorry, I didn't communicate very well. I am not stuck with suPHP.

 

[lvalics]

ok, what can I help you then?

 

[scottthepotter]

Okay, installed suphp, tried to follow the instructions as best I could but getting the following error after restarting apache:

UID of script "/var/www/vhosts/ackerman-family.org/httpdocs/joomla/index.php" is smaller than min_uid

here is my mod_suphp.conf:

# This is the Apache server configuration file providing suPHP support..
# It contains the configuration directives to instruct the server how to
# serve php pages while switching to the user context before rendering.

LoadModule suphp_module modules/mod_suphp.so


### Uncomment to activate mod_suphp
suPHP_AddHandler php5-script


# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
suPHP_Engine on


# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resists in.
#
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
#
# If you don't use this option, PHP will use its compiled in default path.
suPHP_ConfigPath /etc

here is my suphp.conf:

[global]
;Path to logfile
logfile=/var/log/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=apache

;Path all scripts have to be in
docroot=/

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=true

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

; Use correct permissions for mod_userdir sites
handle_userdir=true

[handlers]
;Handler for php-scripts
php5-script=php:/usr/bin/php-cgi

;Handler for CGI-scripts
x-suphp-cgi=execute:!self

I do not have a vhost.conf file configured for ackerman-family.org. Is this the problem? Do I have to now go and configure a vhost.conf file for every domain on my server now?

 

[lvalics]

suPHP_Engine on - put this to OFF for the whole server and enable it on each domain in vhost.conf

UID of script "/var/www/vhosts/ackerman-family.org/httpdocs/joomla/index.php" is smaller than min_uid

I think is root the owner, must be the domain owner.

 

[scottthepotter]

Okay, got that straightened out, but now I restart apache I get the following message:

0: /usr/local/psa/admin/plib/common_func.php3:158
psaerror(string 'Unable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to restart')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28

If I comment all of the lines having to do with suPHP in my vhost.conf then it will restart fine, but of cousrse suPHP does not work. Here is the contents of my vhost.conf file:

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#

DocumentRoot /var/www/vhosts/usable-devel.com/httpdocs/joomla

< IfModule mod_suphp.c >
< Directory "/var/www/vhosts/usable-devel.com/httpdocs/" >
php_admin_flag engine on
suPHP_Engine On
suPHP_ConfigPath "/var/www/vhosts/usable-devel.com/httpdocs/"
AddHandler x-httpd-php .php
AddHandler php5-script .php
AddHandler x-httpd-php .php .php5 .php4 .php3 .phtml
suPHP_AddHandler x-httpd-php
suPHP_AddHandler php5-script .php
php_value open_basedir "/tmp/"
php_value upload_tmp_dir "/var/www/vhosts/usable-devel.com/httpdocs/tmp/"
< Files php.ini >
order allow,deny
deny from all
< /Files >
< /Directory >
< /IfModule >

I have already created the "tmp" folder. It has the domain user as the owner and "psacln" as the group, and 0755 permissions. I have also tried with the owner and group being "root".

 

[lvalics]

Please contact me at support at grafxsoftware.com and send some details to login and check, is hard to see now what is the problem.

 

[scottthepotter]

Subdomains?

So what is the trick to get mod_suphp to work with subdomains?

 

[lvalics]

See vhost.conf and you can do for subdomains as well.

 

[scottthepotter]

I tried that but can't get it to work. Do I have to set up a new 'tmp' directory in the subdomain as well as copy the php.ini file there as well?

 

[lvalics]

Yes ... you need to setup also php.ini

 

[scottthepotter]

Thanks, problem fixed!