1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Very annoying and repeatable Plesk suexec issue

Discussion in 'Plesk for Linux - 8.x and Older' started by net24, May 24, 2007.

  1. net24

    net24 Guest

    0
     
    Running Plesk 8.1.0 on FreeBSD 6.2.

    Have configured php to run under Plesk suexec fcgid mode.
    Almost everything works - yaay!

    Only problem is that when the move_uploaded file function is used (a LOT of php scripts use this) permissions on the uploaded file are set to Unix 600. The php copy function seems to work.

    I wondered if this was a php version issue (5.2.0) but recently I installed Ruby on rails under plesk and lo and behold I've found the same issue. :-(

    This issue is repeatable regardless of default umask permissions, directory permissions or changing umask within the fcgid wrapper scripts.

    So...anyone out there know why Plesk's suexec seems to be forcing scripts to create files with 600 permissions?

    Better yet, anyone know how to get around this?
    If the standard Apache suexec was being used I could set it in the configure script but there is no such customisation for Plesk's suexec. :-(

    I'm not to keen too change the default umask that Apache runs under as I suspect that this will not work due to the customised suexec (which I suspect sets a umask all of it's own for the apps it runs).

    Any other ideas? Anyone from Plesk whoc give me further info?
    (I'm going to raise a job about this shortly but thought I'd ask the community first).
     
  2. WaDavid

    WaDavid Guest

    0
     
    I would love a solution to this as well.

    We have clients using Joomla ect, and whenever they install addons/components via the web install its screws around with permissions and we get tickets to fix it manually.
     
  3. Entrofi

    Entrofi Guest

    0
     
    I have similar problem and just started to use plesk. First I thought that the problem was because of proftpd settings but it seems not (I dont know whether plesk can be setup ldap-proftp).
    I would love a solution to this as well.

    We have clients using Joomla ect, and whenever they install addons/components via the web install its screws around with permissions and we get tickets to fix it manually.
     
  4. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    Why not use mod_suPHP? This will fix this problems. See in my signature on HOW-TO how to setup.
     
  5. rmcs

    rmcs New Pleskian

    22
    57%
    Joined:
    Apr 24, 2008
    Messages:
    11
    Likes Received:
    0
    I have installed mod_suPHP, but I am STILL experiencing the issue where PHP scripts create new files with 600 permissions. I have even configured Joomla so that new files that are created are created with 644 permissions (which works properly if uploaded by Joomla Media Manager or FTP); however it seems that PHP scripts that run that create files are created with only 600 permissions.

    Any ideas?
     
  6. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    check mod_suphp settings. it should work fine. it is working fine in all of our servers.
     
  7. rmcs

    rmcs New Pleskian

    22
    57%
    Joined:
    Apr 24, 2008
    Messages:
    11
    Likes Received:
    0
    Could you please be a little more specific about which "mod_suPHP" settings I am supposed to check? I already created my vhost.conf file according to your "How-To" specifications.
     
  8. WaDavid

    WaDavid Guest

    0
     
    In /etc/suphp.conf you will find a "umask" setting.

    You want to set this to 0022 so that when php scripts create files they are created with 755 permissions which allows suphp to write to them and the ftp user as well, and t his will also allow apache to read them. You can even try 0027 so that files are created with 750 permissions but you will have to check if apache is part of the psacln group.

    oh, dont make the mistake of setting this to 022 because then for some reason it doesn't work at all and will fall back to the default of 0077 which you do not want.

    I suggest not to set this to 0000 because then you need to change the following to true which can be a security risk which the default mod_php suffer from anyway.

    allow_file_group_writeable=false
    allow_file_others_writeable=false
    allow_directory_group_writeable=false
    allow_directory_others_writeable=false
     
  9. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    :) yep, already WaDavid ansered.
    Also if you have problems, still you can play with
    Security options allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=true allow_directory_others_writeable=false; But I suggest to leave it as it is.
     
  10. rmcs

    rmcs New Pleskian

    22
    57%
    Joined:
    Apr 24, 2008
    Messages:
    11
    Likes Received:
    0
    WaDavid - Thank you, Thank you! Changing the "unmask" setting to 0022 worked perfectly.

    lvalics - You might want to add that little bit of info to your "How To: Setup a new box with PLESK" cheatsheet. There are numerous postings where people are having this problem. Most replies suggest that you edit the PHP script that is causing the "problem" and add a line to CHMOD the files with the proper permissions. This is obviously NOT what the average user is capable of doing!
     
  11. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    I will modify the How-TO I missed to add this unmask settings change, my mistake.
     
  12. net24

    net24 Guest

    0
     
    Because, by using suexec with fastcgi, we have a smaller memory footprint, the ability to have individual php.inis for all of our domains, etc. to name just two of the many benefits.
     
  13. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    and mod_suphp will not allow you to have multiple php.ini? :) will allow.
     
  14. WaDavid

    WaDavid Guest

    0
     
    Our servers now have php via both mod_suphp and fastcgi and both support seperate php.ini.

    In fact we have a script that automatically fire up whenever a domain gets created to automatically add a suphp.conf and load it via vhost.conf for that domain which set all these settings.
     
  15. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    You can use also skeleton for this, it is much more easy.
     
  16. WaDavid

    WaDavid Guest

    0
     
    Can the skeleton do something like this:

    f.write("suPHP_UserGroup " + sysuser + " psacln\n")

    The above is the reason why we use a script because the suphp from rpmforge needs that setting to work. I am aware that one can compile suphp yourself and have it not needing that but I believe the above is more secure and is also the way suexec works if you look at the httpd.include that plesk generate for each domain.
     
  17. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    Yes, you are right with this, but we use non-paranoic mode from ART repo.
     
  18. rmcs

    rmcs New Pleskian

    22
    57%
    Joined:
    Apr 24, 2008
    Messages:
    11
    Likes Received:
    0
    Sorry to be a little ignorant about this, but I guess I'm a little confused when WaDavid mentioned that his servers "now have php via both mod_suphp and fastcgi". Can you clarify what this means?

    I have mod_suphp installed on my server and have configured it for a specific vhost. I also have clicked on the "FastCGI" button in Plesk setup. When looking at the results from phpinfo I see that "Server API = CGI/FastCGI". So am I using FastCGI on "top" of mod_suphp? My understanding is that FastCGI helps to speed up the processing of PHP scripts.
     
  19. WaDavid

    WaDavid Guest

    0
     
    if you use mod_suphp it will report that php is running in cgi mode. This also happens when you run php via fastcgi.

    Essentially we wrote a php addon script of php which we add as an icon for clients so that they can change it. The default is now that a new domain gets set up with suphp. If a client lets say want php4 instead of 5 it get set up as php4 via fast cgi overwriting the php5 mod_suphp settings. We also have php5 via fast cgi and we usually will put a newer version on first via this and then later force mod_suphp to use the latest version.

    It all depends on how you handle the vhost.conf file, via this you can have domains on different versions of php and even all via mod_suphp if you really want.
     
  20. BillT

    BillT Guest

    0
     
    hello all

    I think this is a related issue. I'm using plesk 8.6.0 and when I add a new domain I want the permissions on the httpdocs directory to be set to 775 - is this easy enough? The reason for this is because I need php files in

    domain1/httpdocs/script.php

    tp be able to write to

    domain2/httpdocs/

    If there is a better way than changing the default permissions I would be interested to hear it, but right now I just need some sort a solution.

    thanks in advance
     
Loading...