Run PHP as User

[EduardH]

Run PHP (virtual host) as User 1.4.15. PHP, Python and other Apache modules can be run as FTP user w/o additional overhead. Extra RAM and CPU resources are not spent unlike suPHP and FastCGI technologies.

This add-on for Parallels Plesk Panel allows to run PHP scripts as domain FTP user. It only works in conjunction with mod_ruid2 (preferable) or mpm-itk Apache module. Standard PHP module is used to runs scripts. Any domain can be configured to run PHP as FTP user or Apache user.

Actually all modules like mod_python, mod_perl etc. also are run as FTP user on domains where "Run as User" feature is active.

...........Security
......../ ............\
..More -- Performance -- for your PHP sites
........\ ........... /
..........Convenience

Security

• PHP code on different domains is run as different system users. PHP script on a domain can modify only the files on the same domain.
• Insecure permissions (666, 777) on files and directories are not required.

Performance

• PHP scripts use less RAM and CPU time resources than with suPHP or FastCGI.
• Your server can host much more PHP sites w/o being overloaded.

Convenience

• The sites can be controlled by FTP, because PHP scripts do not create Apache owned directory/files. Any file / directory created by PHP script is available for FTP access.
• Templates for vhost.conf can be used to affect all domains and/or subdomains.

Usage example:



See also

• Documentation
• Products
• Trial version
• Order now: $19 (+ $29.95 if installation option is added)
  1. Open Order page
  2. Select "Installation: Yes" if you would like us to install "Run PHP as User" software on your server
  3. Click "Update Cart" -> "Checkout"
  4. Enter valid information and complete payment procedure
• Ask questions, report issues, order more products/services in Helix Development client area
• On Demand Support Engineer: about $50/hr (improve security, resolve issues, install additional software)

Compatible Plesk versions:

• Plesk 8 for Linux
• Plesk 9 for Linux
• Plesk 10 for Linux
• Plesk 11 for Linux

Additional features

• Command line interface provides extended control
• Templates for vhost.conf with variables to configure all domains, subdomains, sites
• If domain/subdomain name or FTP user are changed in Plesk panel, Apache configuration in vhost.conf is updated automatically (with event handlers)

Current version: 1.4.15
[+] Plesk 11.5: Protected directories permissions are corrected
[+] Plesk 11.5: New cgi-bin location is recognized

Version: 1.4.14
[+] asuser_psa_sync.sh is compatible with Plesk 11.5

Version: 1.4.13
[+] Bugfix: License check in GUI for Plesk 11.5

Version: 1.4.12
[+] GUI for Plesk 11.5 is visible

Version: 1.4.11
[+] Plesk 11.5 is supported

Version: 1.4.10
[+] Templates for vhost.conf with variables have been implemented
[+] Auto testing for CLI has been added

Version: 1.3.1
[+] Apache directives are added to vhost.conf instead of asuser.conf
[+] Domains are migrated w/o configuration errors because of missing asuser.conf

Version: 1.3.14
[+] Non-default vhost map error is fixed

Version: 1.3.12
[+] Compatibility with Plesk 11

Version: 1.3.11
[+] Event Handlers identification by name

Version: 1.3.10
[+] Mod_ruid2 installation is checked during Run PHP as User installation.
[+] Event Handlers for (sub)domain creation and modification adapted for Plesk 10.4.4

Version: 1.3.8
[+] Run PHP as User is turned on when for a new subdomain created (one should do auto_on first).
[+] Event Handler clearing error for Debian is fixed.

Version: 1.3.7
[+] GUI improvements
[+] Documentation changes

Version: 1.3.6
[+] Domain name can be changed if subdomains exist

Version: 1.3.5
[+] Fixed crontab issues for RPM-based OS

Version: 1.3.4
[+] Empty root crontab will be recognized
[+] Broken Apache configuration will be rebuilt with httpdmng

Version: 1.3.3
[+] New domain format in psa DB is recognized (Plesk 10)
[+] New subdomain format in psa DB is recognized (Plesk 10.4)

Version: 1.3.2
[+] Installer creates global configuration for mod_ruid2
[+] Test feature: is "running as user" on/off at specified domain
[*] mpm-itk is available but not recommended

Version: 1.2.15
[+] Status table for all domains
[+] CGI and statistics function OK
[+] FastCGI can be configured in vhost.conf in specified directories

Version: 1.2.6
[+] Command line interface for advanced control
[+] Web form and CLI are fast!
[+] Automate turning "Run as User" on for newly created domains or cancel this behaviour
[+] Turn "Run as User" on / off for all domains
[+] Subdomains are supported
[+] Domain FTP user can be changed

 

[BruceLeeX]

Hi Eduard,

this looks great. What about the ability to have individual php settings vor each vhost?
Right now I use mod_fcgid with php.ini files for each vhost. vhost.conf is just too limited (e.g. php_value memory_limit 64M does not work when using fcgid).
And what about PHP Opt Caches? How does it work?

Thanks for your feedback

 

[atomicturtle]

mod_ruid2 is now available in the [atomic] repo, and httpd 2.2.17 with ITK support is available in the [atomic-testing] channel.

 

[EduardH]

BruceLeeX:

mod_ruid2 and mpm-itk modules are intended to run as specified user any Apache code in a virtual host usually executed as Apache user.

Probably most people would like to run standard PHP module as virtual host user with these modules. Configuration settings for PHP can be placed in vhost.conf or .htaccess, this is usual way for mod_php.

So you have the same php.ini file for all virtual hosts where mod_php is activated. Some php.ini settings can not be applied in vhost.conf, so you can use CGI / FastCGI / suPHP for domains where such settings are required, but of course more RAM and CPU resources would be spent, and system stability can be reduced.

Also you can place such virtual hosts to another server with mod_itk or mod_ruid2, so you can get rid of FastCGI or suPHP and host more domains with the same resources and more reliability.

Concerning PHP opcode cachers, like eaccelerator or xcache, I believe it's possible to run them with mod_ruid2 or mpm-itk. Some hosting providers mention this feature. Let me know if you have issues with mod_ruid2 and PHP accelerators.

So if a server running PHP with CGI, FastCGI or suPHP is seemed to be slow, overloaded or unstable, mod_ruid2 probably could help.

Thank you for your interest, any feedback is welcome.

 

[MegaCrash]

How to apply php per-user for all domains, and set this option as default, when new domains will be created? I want completely exclude possibility to run scripts by user "apache".

 

[EduardH]

It's possible to configure in Plesk an event running a script while domain creation to setup new domain to run scripts as FTP user. Also probably "domain skeleton" definition can help.

The following script will setup virtual hosts on all domains to run as FTP user.

#!/bin/bash
PSA_DIR=`awk '/^PRODUCT_ROOT_D[[:space:]]/{print $2}' /etc/psa/psa.conf`
while read DOMAIN Junk; do
    echo "-- Domain: $DOMAIN -- will be run as FTP user"
    "$PSA_DIR"/admin/sbin/set_dom.php "$DOMAIN" on
done < <(mysql -uadmin -p`</etc/psa/.psa.shadow` -Ns -Dpsa -e"select name from domains d where htype='vrt_hst' and not exists (select * from helix_asuser h where h.dom_id=d.id and h.asuser='true')")

 

[EduardH]

MegaCrash:

Subdomains are supported. Changing domain FTP user is processed correctly.

Advanced functionality has been added to command line interface. New syntax:

• To run PHP scripts as vanon.com domain FTP user:
  

  # /usr/local/psa/admin/sbin/set_dom.php on DOMAIN

• To run PHP scripts as Apache user:
  

  # /usr/local/psa/admin/sbin/set_dom.php off DOMAIN

• To add "Physical hosting created" Plesk event handler executing the command set_dom.php on with a new domain:

  # /usr/local/psa/admin/sbin/set_dom.php auto_on

• To remove "Physical hosting created" Plesk event handler executing the command set_dom.php on with a new domain:

  # /usr/local/psa/admin/sbin/set_dom.php auto_off

• To run PHP scripts as domain FTP user on all domains:
  

  # /usr/local/psa/admin/sbin/set_dom.php all_on

• To run PHP scripts as Apache user on all domains:
  

  # /usr/local/psa/admin/sbin/set_dom.php all_off

• To update system user in Apache configuration after changing vanon.com FTP user from command line interface:
  

  # /usr/local/psa/admin/sbin/set_dom.php update DOMAIN

 

[theywill]

Could this be used to solve the Plesk Wordpress problem. Wordpress is unable to write files and update itself because it's running as apache and doesn't have permission to write files. The solution is to open up the permissions. However, if PHP was running as the FTP user, would Wordpress be able to write files?

Thank you,
James

 

[Charles Ferland]

I have a problem with this module.

When my httpdocs is chmod 750 (drwxr-x---), I get an error 403 ([Thu Feb 17 11:32:19 2011] [crit] [client IP] (13)Permission denied: /var/www/vhosts/DOMAIN/httpdocs/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

When I chmod 755 my httpdocs, all is working again.

My /etc/httpd/conf.d/ruid2.conf
LoadModule ruid2_module modules/mod_ruid2.so

How can I get it working with 750 permission.

Mod_ruid2 installed from atomic repo

 

[atomicturtle]

Make sure the files are owned by the user you are running the domain as

 

[Charles Ferland]

I got it working but I have two problems with this script.

There are my results of the problems at this moment:

With Plesk default Installation, mod_ruid2 and Helix Runas FTP user, Centos 5.5 64 bis, PLesk 9.2.3

Problems:

When Run PHPas User FTP Module is "ON" for a website

1) www.domain.com/plesk-stat/webstat/ doesn't work anymore
[Fri Feb 18 18:41:40 2011] [crit] [client 66.254.45.3] (13)Permission denied: /var/www/vhosts/DOMAIN.COM/statistics/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable


2) Any protected directory under httpdocs/ is not working anymore (always bad login / password)

____________________________

CONFIGS:


ruid2_module (shared)



more /etc/httpd/conf.d/ruid2.conf

LoadModule ruid2_module modules/mod_ruid2.so

<IfModule mod_ruid2.c>
RMode config
RUidGid apache apache
RGroups apache psaserv
#RGroups apache psaserv psasb
RMinUidGid apache apache
</IfModule>


more conf/vhost.conf
Include /var/www/vhosts/DOMAIN.COM/conf/asuser.conf

more conf/asuser.conf
<IfModule itk.c>
AssignUserId ladecoupe psacln
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid ladecoupe psacln
RGroups psacln
</IfModule>

ls -al /var/www/vhosts/DOMAIN.COM/
total 64
drwxr-xr-x 14 root root 4096 Jan 14 2010 .
drwxr-xr-x 289 root root 12288 Feb 16 14:20 ..
drwxr-x--- 5 ladecoupe psaserv 4096 Nov 19 2009 anon_ftp
drwxr-x--- 2 ladecoupe psaserv 4096 Nov 19 2009 cgi-bin
drwxr-x--- 3 root psaserv 4096 Feb 16 19:48 conf
drwxr-xr-x 2 root psaserv 4096 Nov 19 2009 error_docs
drwxr-x--- 11 ladecoupe psaserv 4096 Feb 16 15:20 httpdocs
drwxr-x--- 6 ladecoupe psaserv 4096 Nov 19 2009 httpsdocs
drwxr-x--- 2 root psaserv 4096 Feb 16 16:17 pd
drwx------ 2 ladecoupe root 4096 Nov 19 2009 private
dr-xr-x--- 8 root psaserv 4096 Feb 10 15:18 statistics
drwxr-xr-x 2 root psaserv 4096 Nov 19 2009 subdomains
drwxr-xr-x 3 root psacln 4096 Jan 14 2010 vault_scripts
drwxr-xr-x 2 root psaserv 4096 Nov 19 2009 web_users


ls -al /var/www/vhosts/DOMAIN.COM/pd/
total 16
drwxr-x--- 2 root psaserv 4096 Feb 16 16:17 .
drwxr-xr-x 14 root root 4096 Jan 14 2010 ..
-r-------- 1 apache apache 45 Feb 16 16:17 d..httpdocs@plesk-stat
-r-------- 1 apache apache 45 Feb 16 16:17 d..httpsdocs@plesk-stat



___________________________________________


Observations:

- The client can't go to statistics folder with ruid2 permission
- The client can'T read the folder /pd
- The client can't read password files into /pd/* (apache user only)



I have this problem for all domains using your module. It's a persmission problem and I can change for example (755 for folder "statictics) and some other configuration for "pd" folder.. but it's not safe


How Can I deal with that ?

 

[atomicturtle]

You might want to catch up on the developments & tweaks in this thread:

https://atomicorp.com/forum/viewtopic.php?f=12&t=4570

We've had a lot of contributions here that touch on the various changes to tertiary apps you'll need to make (eaccelerator, sessions, etc) as well as direct input from the mod_ruid2 developer on changes you'll need to make.

I'm capturing this input and where I can, building more automation into the mod_ruid2 package.

 

[JP Kelly]

looks cool - a couple questions

This looks interesting (the add-on for Parallels Plesk Panel). Is this compatible with Plesk 10.1.1?
When using this add-on, how should I set "Run PHP as" in the Plesk "Hosting Parameters"? Apache Module? FastCGI Application? Does it matter?

 

[Andyone]

New 1.2.11 version

New 1.2.11 version is compatible with Parallels Plesk Panel up to 10.2.0.
Web statistics issue has been fixed.
Protected directories issue has been fixed.
Domain and subdomain name change issue has been fixed.

Fastcgi module is not compatible with mod_ruid2. Therefore for each virtual host in "Hosting Settings" should be chosen: PHP support (run as "Apache module")

__________________
Andy Martinovsky

Plesk addons:
Run PHP as User http://helixdevelopment.com/dl/rau/current/brief/
Password Viewer: http://helixdevelopment.com/dl/ppv/current/brief/

 

[JP Kelly]

Fastcgi module is not compatible with mod_ruid2. Therefore for each virtual host in "Hosting Settings" should be chosen: PHP support (run as "Apache module")

Is it possible to run some domains as Fastcgi and some domains as Apache/mod_ruid2?

 

[Scy]

We bought and installed this "Run PHP as User" version 1.2.11 add-on for our servers (totally 10) with the following configuration:

- Debian Lenny 5.0 & Plesk 10.2
- PHP 5.3.5 running under Apache module
- Perl, Python and Ruby on Rails running under FastCGI
- We installed apache2-mpm-itk module (which removed both apache2-mpm-prefork and apache2 modules)
- After installation of the scrip, we ran both commands, "/usr/local/psa/admin/sbin/set_dom.php all_on" and "/usr/local/psa/admin/sbin/set_dom.php auto_on" to use "Run PHP as User" setting on for all of our clients
- We also modified all of our clients httpdocs folders so that files and folder owned by "www-data" (Apache user) was chowned to users FTP account. Also files/folders chmodded with 0777 was reduced to 0755 to increase security (However we noticed that 0644 is enough for PHP to write on files and non-writable files has to be chmodded to 0444).

After the changes, the following issues emerged:

1. FastCGI support was totally broken
* Some of our clients had requested PHP to be run under FastCGI, and these we were able to fix simply by moving them to run PHP as Apache module. So no harm done.
* But clients with Perl, Python or Ruby on Rails script suffered, as they don't no longer run when "Run-PHP-as-User" setting is being ticked. So far the only solution for us was to untick this setting for such users that used Perl, Python or Ruby on Rails (causing PHP to run under www-data on such web hosting packages)

Is this compatibility issue possible to fix anyhow? We really would like to use Run-PHP-as-User setting on default + allowing also Perl, Python & Ruby on Rails to work simultaniously?

2. Another issue was that web statistics no longer work
* When trying to open Awstats, they result as "error 403 - forbidden" when "Run-PHP-as-User" setting is "on". When setting is "off" awstats page is opened normally
* This issue can be resolved for old customers by chmodding all the clients statistics folder with command chmod 0755 /var/www/vhosts/*/statistics per each server. It seems that with Run-PHP-as-User is being set on the default folder right for statistics folder (that is 0550). However, is this a security issue that should be solved otherwise?
* Also the problem is now that every new domain created on the server needs to be chmodded with its statistics folder with chmod 0755. However, I believe this can be automatized with a small script I shall implement later.

This problem occured despite the fixes made in Run-PHP-as-User v. 1.2.11. Is it possible that these changes fixed the problem only when using mod_ruid2 but not with when using apache-mpm-itk? Is it possible to fix this on the script?

But anyways, the script is great providing integration between Plesk and MPM-ITK and/or mod_ruid2, thus allowing PHP to be run under FTP user AND withouth sacrificing really much of the performance or stability/memory issues (that is the setback when running PHP under FastCGI).

If those couple of minor fixes could be implemented for this script, we would highly appreciate (and will for sure buy the script to all of our servers in the future too).

 

[Scy]

I solved the problem 2 (Awstats not accessible) with the following method:

* For existing old domains I simply:

chmod 0755 /var/www/vhosts/*/statistics

* But as the Plesk generates all the new domains' statistics folder with right 0550 this these statistics folders should be chmodded manually every time new domain is created from Plesk. However, as this is not very convenient, the following sollution should do it:

1) Log in the Plesk (10.2) and click "Tools & Utilities" -> "Event Manager" -> "Add New Event Handler".

2) Select event "Website created" and priority "low (25)" and enter "Command" field as following line:

/usr/local/bin/fix_statistics_folder.sh

Press "Ok".

3) Log in to the server with SSH and type:

cd /usr/local/bin
pico fix_statistics_folder.sh

Enter the following code:

#!/bin/bash
sleep 10
chmod 0755 /var/www/vhosts/${NEW_DOMAIN_NAME}/statistics

save and run:

chmod 0755 fix_statistics_folder.sh

Now, every time the Plesk creates a new domain, after 10 seconds of the creation (you need to give some time for creating process) the script is executed and it will chmod statistics folder from 0550 to 0755 which should allow statistics to open even though "Run-PHP-as-User" is being activated on such domain.

Is this a security problem? I dunno. I believe not. I don't have yet a better fix. Feel free to give such. Edit: It seems that after chmodding statistics from 0550 to 0750 the folder is accessible (readable, but not writable) from FTP account. I still cannot see is this a security issue? It could be even more convenient for users to read error logs also from FTP - they're readable, not writtable.)

For issue 1) I still don't have any other sollution but to set "Run-PHP-as-User" to "off" on such domains that need to use Perl, Python or Ruby on Rails. This is not a very convenient though.

 

[Andyone]

The new version of Run PHP as user was released.

In the new 1.2.15 version statistics and cgi issues were fixed.
To enable FastCGI in a directory like httpdocs/ruby edit vhost.conf as follows:

* Redhat, CentOS, Fedora:

<Include asuser.conf>
<Directory /var/www/vhosts/DOMAIN.COM/httpdocs/ruby>
    RUidGid apache apache
    RGroups apache psaserv
</Directory>

* Debian, Ubuntu:

<Include asuser.conf>
<Directory /var/www/vhosts/DOMAIN.COM/httpdocs/ruby>
    RUidGid www-data www-data
    RGroups www-data psaserv
</Directory>

 

[toomanylogins]

Hello, If I purchase the script will this allow php Jfolder to folllow a sym link and open pdf files which are in another domain ie different user on same server ?

I have mpm-itk running and I have a large directory of pdf files in one domain which I would like to share with others. If I turn mpm-itk off and use php_admin_value open_basedir none then the symbolic link is followed and I can open the PDF files without the jfolder error.

thanks
Paul

 

[Andyone]

The new version of Run PHP as User 1.3.2 is released.

In the new 1.3.2 version an installation procedure is simplified (no need to edit ruid2.conf).
Graphical user interface is improved.
Some minor bugs are fixed.
The new feature is added to test the addon as a root only from 127.0.0.1 address:
# curl --interface lo YOUR_DOMAIN/rau/id.php