1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

cancelling the effect of SuexecUserGroup

Discussion in 'Plesk for Linux - 8.x and Older' started by mlcprs, Oct 31, 2009.

  1. mlcprs

    mlcprs Guest

    0
     
    Hi,

    As a Plesk, VPS and Apache beginner, I need to change the server configuration on Plesk such that the effect of the SuexecUserGroup directive is removed, so the user's cgi scripts run as the apache user (www-data), rather than as the user specified in that directive (the domain user), just like on an unshared (non-VPS) server. I don't care about security from other domains because only one domain runs on it anyway, so making the user domain-specific is irrelevant from a security point of view and stops some of the user's code working.

    This directive is found in httpd.include
    and is:
    SuexecUserGroup user psacln
    (this line appears twice, for ports 443 and 80)

    I understand that this file can't be modified, as it may be overwritten by Plesk. Therefore additional directives must go in the vhost.conf file.

    I tried creating the following vhost.conf file in the hope it would override the directives in httpd.include. Is it even possible to override it? The server will effectively see two conflicting SuexecUserGroup directives. Also I'm not sure it will be happy with a repeat of the VirtualHost directive.

    <VirtualHost 1.2.3.4:443>
    SuexecUserGroup www-data www-data
    </VirtualHost>
    <VirtualHost 1.2.3.4:80>
    SuexecUserGroup www-data www-data
    </VirtualHost>

    Anyway, the effect of this was to stop Apache running.
    I'd be grateful for any advice from someone who knows something about Apache configuration and suexec.

    Regards,
    Peter
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,557
    Likes Received:
    1,242
    Location:
    Novosibirsk, Russia
    Strange. It should be overrided without any problems.
    I have tried:

    [root@cos5skx ~]# cat /var/www/vhosts/test.domain.com/conf/vhost.conf
    SuexecUserGroup psaadm psacln

    and restarted Apache without any problem. You can check Apache configuration with 'apachectl -t' before restarting. But note, that if you have created new vhost.conf - you should run '/usr/local/psa/admin/bin/websrvmng -v -a' after that.
     
  3. mlcprs

    mlcprs Guest

    0
     
    Thanks very much for your reply, Igor.

    I did /usr/local/psa/admin/bin/websrvmng -a (without the -v you suggest), but it must have worked or it would have ignored my vhost.conf rather than causing an incorrect Apache config.

    Thanks for the tip on checking Apache config with 'apachectl -t'.

    Does your vhost.conf only contain that one line
    SuexecUserGroup psaadm psacln
    or does it appear within other directives? I'm wondering if the VirtualHost directives are upsetting it. The reason I included them is because the SuexecUserGroup directive appears nested within the VirtualHost directive in the httpd.include file, so I just duplicated that structure.

    Thanks again.
    Peter
     
  4. thewolf

    thewolf Regular Pleskian

    25
    57%
    Joined:
    Mar 11, 2004
    Messages:
    231
    Likes Received:
    0
    Hi,

    Did you get it to work?
     
  5. mlcprs

    mlcprs Guest

    0
     
    No, I didn't do any further experiments, and my client decided to change to a non-Plesk server, partly due to the poor support they got on the Plesk VPS, but for other reasons as well.
     
Loading...