Hi,

on one of my production system I'm using ldap_userdir which borrowed code
from mod_userdir. After some investigation (suexec support was naccassary)
that there is error in suexec handling, and it existed many years unnoticed.

Hopefully mod-ldap-userdir author accepted my patches (about request notes,
and some bad usage of strtoul) and everything works out of box on lenny now.


Bud bad code in mod_userdir still exists.

I'm attaching the patch for mod_userdir.c. (based on patch for mod_ldap_userdir.c)

It was tested and works correctly. Please apply and notify upstream if possible.

Thanks you.

Thanks for your patch. Please be a bit more verbose on what the actual
problem was and how it can be reproduced.

Stefan

Dnia 2009-05-10, nie o godzinie 19:43 +0200, Stefan Fritsch pisze:

I will try provide simple example, but actually suexec configuration
isn't simple.

I have apache2 configured with mod_userdir + mod_suexec + mod_fcgid (for
runing php5-cgi in my case).


According to http://httpd.apache.org/docs/2.2/suexec.html#usage
handling of /~baryluk/ should automagically work (by working, I mean fcgid scripts
are run under uid baryluk).

Currently this scripts are run under the www-data uid, because
as I first written mod_userdir.c is not working correctly (not to be honest,
not well tested - this error is sitting there very very long).

There is also some comments in patch. Author of mod_ldap_userdir.c can
also help, but first ask me about any problems. We don't need to bother
him. ;)

Hope this will help.

Dnia 2009-05-10, nie o godzinie 19:43 +0200, Stefan Fritsch pisze:


Here is my exact (i hope) configuration attached:

# apt-get install apache2 apache2-suexec libapache2-mod-fcgid php5-cgi
# a2enmod actions suexec userdir fcgid

Relevant files in attachment

/etc/apache2/sites-available/default
/etc/apache2/conf.d/php-fcgid.conf

/home/baryluk/public_html/test.php
/home/baryluk/public_html/fcgi-bin/php-fcgi-wrapper
/home/baryluk/public_html/.htaccess
(edit the last one if other username needed)

# chown -R baryluk:users /home/baryluk/public_html

# /etc/init.d/apache2 restart

Then point your web browser to http://servername/~baryluk/test.php

You will see, `whoami` output one the first line. It will say
"www-data", but should say "baryluk".

This simply mean that suexec support in userdir is not working
correctly.


Patch in first post resolves this problem. There was identical problem
in ldap-userdir, but is already solved there in the same way.

Hi,

is anybody wanting to review my patches?


They are really simple. And without them half of functionality
of suexec is not existing. And it doesn't agree at all with documentation
of Apache http://httpd.apache.org/docs/2.2/suexec.html#usage
subsection "User directories".

Hello,

I am getting a bit disenchanted with Debian BTS thanks to this bug. How
much easier could Witold have made it?

He described the bug, submitted a patch. A year later, I'm still having
to use his patch to run my Apache. Have we gone 12 years back in time?
Is patching and compiling now a required skill for Debian users? I
thought we left that behind with Potato.

Regards, Michal

tags 528062 +patch
thanks

Sorry, this has somehow fallen through the cracks. I will try to get
it fixed before squeeze is released.

I suspect that the patch would break suexec for mod_include's exec
subrequests, but haven't tested it yet. Maybe the note needs to be set
both on the main and the sub request.

  Hi,

I tested the patch for a Lenny server with quite some public_html
UserDirs - I suspect that my observations also apply to Squeeze.

The behavior of our configuration with the default Apache packages is
that normal CGI scripts in public_html dirs are running under the owners
uid, while php scripts are executed as www-data. We don't use fcgid.
Our desired behavior would be that CGI scripts as well as PHP scripts
run under the owners uid. This can be quite easily setup with suphp, but
a solution that only requires suexec would be nice.

With the supplied patch PHP scripts are run under the owners uid *if and
only if* the php binary is copied to every public_html dir that contains
php scripts, symlinking does not seem to work here.
Also mod_action has to be configured correctly (which I did not figure
out yet for *many* userdirs).

Without further action the patch completely breaks PHP script execution
(Error 500) beneath user dirs when suexec is enabled.

IMHO it is far from production ready. For only few different users it is
rather simple to set up different vhosts with explicit SuexecUserGroup
configs that will give you the same results.

Just my ¢ 2,
     Christopher

It do not need to be copied. I would not even advise this as it will be problematic
due to the disk usage, cache usage and problems with php upgrades.


It is sufficient to create 2 line shell script (as ~/public_html/fcgi-bin/php-fcgi-wrapper)

#!/bin/sh
exec /usr/bin/php5-cgi

It is needed becuase of suexec behaviour of running only fcgi scripts being owned by user,
and being in proper subdirectory. I already given this wrapper in message #20, as php-fcgi-wrapper.
There is nothing unsafe in this file being editable by user, it will be anyway started
with rights of user, and nothing beyond what already can be broken in normal php will be broken.
(like starting other programs or deleting files).

I would not say this breaks suexec. It actually makes suexec work as described in Apache documentation.


Also mod_action beheaves in normal way. This is setuped using per directory .htaccess,
for exaempl "Action php-fcgi /~baryluk/fcgi-bin/php-fcgi-wrapper".
It is also safe to make this file user-editable. It can be owned by somebody else
if one really need, or written directly in main configuration file (nested in proper Directory section),
or upper in directory hierarchy. It will not break anything.

I have currently .htaccess in each individual public_html dir of each user
which want to have php. The problem you state, is like saying to express:

For each php handler with url matchinng "^/~([^/]+)/", use "/~$1/fcgi-bin/php-fcgi-wrapper" as Action.

IMHO problem that this is not supported, is problem with mod_actions module, not this patch.
I have about 200 users, of which about 50 have PHP enabled.
What is even nicer in this (IMHO correct) behaviour after applying patch,
is that user can enable/disable php without administrator.
Similar one can for example change version of php if he/she whishes.
(one can disable this behaviour by disabling htaccess processing,
or disabling overriding Actions in per-directory htaccess).

For simplicity I just have /etc/skel/public_html/.htaccess with proper Action line,
which is comented out, and additional comment what it is, and when it should be comented out.
Similary in /etc/skel/public_html/cgi-bin/php5-fcgi-wrapper i have above script
(with commented exec and comment that it should uncommented if one wishes PHP).
This makes all new users have this files. For old users I copied this files
using simple script.

BTW. I have disabled php by default as additional security precaution.
But one can of course enable it by default, and it will by still good.
In my opinion it is not true. It is just a way suexec works.
You need to configure it carefully becuase it is very strict.
This is also the reason i provided step-by-step detailed configuration
(on clean setup with patch).

According to the suexec documentation the behaviour of patch is correct.
(or maybe you are talking about some other way of exeuting php script?
like mod_php or other form of cgi of suphp, etc).

Thanks for your comments!

It is possible. But I do not use includes, and do knot know how exactly they works.
I reported this problem with patch on Apache bugzilla, but nobody from developers
responds. :(

Bug entry is here https://issues.apache.org/bugzilla/show_bug.cgi?id=49439

PS. Exact configuration can be also found on https://issues.apache.org/bugzilla/show_bug.cgi?id=49439#c6

tags 528062 -patch
forwarded 528062
https://issues.apache.org/bugzilla/show_bug.cgi?id=49439
thanks

As discussed in the upstream bug report, it is far from clear that
your patch does not break other things or cause wrong behavior with
other configurations. Therefore I am removing the patch tag.

Further discussion should happen in the upstream report.

Dear sir,

Fyi we got an instruction from our client to contact you on the above
subject, please kindly take into quick consideration the attached shipping
documents before we proceed with shipment.

Kindly confirm that the details are correct and revert back to us asap

Regards
Shipping agent
Wan Hai Lines co.,ltd
600 minsheng road shanghai 200135 china
Tel:(86)-(21)-58834638
Fax:(86)-(21)-58832073
Zip code:200135

Dear sir,

Fyi we got an instruction from our client to contact you on the above
subject, please kindly take into quick consideration the attached shipping
documents before we proceed with shipment.

Kindly confirm that the details are correct and revert back to us asap

Regards
Shipping agent
Wan Hai Lines co.,ltd
600 minsheng road shanghai 200135 china
Tel:(86)-(21)-58834638
Fax:(86)-(21)-58832073
Zip code:200135

Hello,

Our partners referred your company to us. Regarding your great products.
Please see required products, quantity and specifications as attached.

Kindly give us your lowest possible prices for FCL shipment.


Best Regards,

Wanda Rodriguez
Purchase Assistant

Hidroconta Trading Ltd.
Av. de Sta. Catalina,
60, 30012 Murcia, Spain
Phone: +34 968 26 77 66
Fax: +34 968 26 77 06

Good day,

My associate from China wants to discuss a business investment deal with
you. I awaiting your response to enable us discuss about this business
investment

Nael M. Al Homoud
Executive Director & High Investment Committee Member@
The Arab Investment Co
www.taic.com [1]



Links:
------
[1] http://www.taic.com

Dzień dobry,

kontaktuję się z Państwem, ponieważ dostrzegam możliwość redukcji opłat za prąd.

Odpowiednio dobrana instalacja fotowoltaiczna to rozwiązanie, które pozwala wygenerować spore oszczędności w skali roku.

Chciałbym porozmawiać z Państwem o tego typu rozwiązaniu, a także przedstawić wstępne kalkulacje.

Czy są Państwo zainteresowani?

Pozdrawiam,
Dorian Kwiatkowski

Dzień dobry,

jakiś czas temu zgłosiła się do nas firma, której strona internetowa nie pozycjonowała się wysoko w wyszukiwarce Google.

Na podstawie wykonanego przez nas audytu SEO zoptymalizowaliśmy treści na stronie pod kątem wcześniej opracowanych słów kluczowych. Nasz wewnętrzny system codziennie analizuje prawidłowe działanie witryny.  Dzięki indywidualnej strategii, firma zdobywa coraz więcej Klientów.

Czy chcieliby Państwo zwiększyć liczbę osób odwiedzających stronę internetową firmy? Mógłbym przedstawić ofertę?


Pozdrawiam serdecznie,
Patryk Górecki

Dzień dobry,

jakiś czas temu zgłosiła się do nas firma, której strona internetowa nie pozycjonowała się wysoko w wyszukiwarce Google.

Na podstawie wykonanego przez nas audytu SEO zoptymalizowaliśmy treści na stronie pod kątem wcześniej opracowanych słów kluczowych. Nasz wewnętrzny system codziennie analizuje prawidłowe działanie witryny.  Dzięki indywidualnej strategii, firma zdobywa coraz więcej Klientów.

Czy chcieliby Państwo zwiększyć liczbę osób odwiedzających stronę internetową firmy? Mógłbym przedstawić ofertę?


Pozdrawiam serdecznie,
Patryk Górecki

Dzień dobry!

Czy mógłbym przedstawić rozwiązanie, które umożliwia monitoring każdego auta w czasie rzeczywistym w tym jego pozycję, zużycie paliwa i przebieg?

Dodatkowo nasze narzędzie minimalizuje koszty utrzymania samochodów, skraca czas przejazdów, a także tworzenie planu tras czy dostaw.

Z naszej wiedzy i doświadczenia korzysta już ponad 49 tys. Klientów. Monitorujemy 809 000 pojazdów na całym świecie, co jest naszą najlepszą wizytówką.

Bardzo proszę o e-maila zwrotnego, jeśli moglibyśmy wspólnie omówić potencjał wykorzystania takiego rozwiązania w Państwa firmie.


Z poważaniem,
Dawid Rowicki

Dzień dobry,

czy interesuje Państwa wymiana niezapłaconych przez Klientów faktur na gotówkę?

Pomagamy wszystkim przedsiębiorcom, którzy szukają gwarancji bezpieczeństwa i płynności finansowej.

Jeśli są Państwo otwarci na wstępną rozmowę w tym temacie proszę o odpowiedź.


Pozdrawiam,
Adrian Ostojski
Dyrektor Finansowy

Dzień dobry,

zapoznałem się z Państwa ofertą i z przyjemnością przyznaję, że przyciąga uwagę i zachęca do dalszych rozmów.

Pomyślałem, że może mógłbym mieć swój wkład w Państwa rozwój i pomóc dotrzeć z tą ofertą do większego grona odbiorców. Pozycjonuję strony www, dzięki czemu generują świetny ruch w sieci.

Możemy porozmawiać w najbliższym czasie?


Pozdrawiam
Adam Furgalski