mod_suexec with mod_userdir and fcgid (webapps in subdirs with separated user context)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello list,

I try to make web applications available in subfolders of one
VirtualHost, but each one in an isolated user context. All web apps are
PHP applications and I use mod_fcgid to run them.

Unfortunately, SuexecUserGroup is not not allowed in Directory context,
which would be by far the simples solution.

So to achieve my goal, I tried (and failed with) two different approaches:

1. Using mod_userdir together with mod_suexec
2. ProxyPass to separate localhost vhosts for each app

Since the first approach seems much cleaner and more straight forward to
me, I'd prefer that one.

Maybe you have other suggestions on how to achieve my goal?

---

Now to the problem I ran into with my first approach:

I have UserDir enabled for system user 'webapp1' and the UserDir path
set to '/var/www/*/www' (see the VirtualHost config below). This works
as expected, I can access static content from within the UserDir.

Additionally, I have fcgid configured for the UserDir and apparently the
php scripts are executed using suexec and php-cgi7.0. A suexec process
is spawned by user 'webapp1' when requesting a php file, but it
immediately turns into 'suexec <defunct>' (a zombie process).

In the apache2 error log shows:

uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter
cannot get docroot information (/var/www/webapp1)

And the apache2 suexec log:

[fcgid:warn] [pid 30884:tid 140484201527040] (104)Connection reset by
peer: [client 192.168.0.1:31937] mod_fcgid: error reading data from
FastCGI server
[core:error] [pid 30884:tid 140484201527040] [client 192.168.0.1:31937]
End of script output before headers: index.php


I double checked that all files under /var/www/webapp1 belong to
user+group 'webapp1' and that they're accessible. I even recursively set
world-readable permissions on the directory, which didn't change anything.

Do you have a good idea on why running php-cgi7.0 through fcgi with
suexec and userdir results in this suexec error 'cannot get docroot
information'?

Any hints and suggestions would be highly appreciated :)

The VirtualHost config (my current take) is as follows:

<VirtualHost *:443>
    [...]
    Userdir disabled
    Userdir enabled webapp1
    UserDir /var/www/*/www

    <IfModule fcgid_module>
        <Directory /var/www/webapp1/www>
            AddHandler fcgid-script .php
            FCGIWrapper /var/www/webapp1/php-fcgi/php-fcgi-starter .php
            Options +ExecCGI
        </Directory>

        IPCConnectTimeout 20
        IPCCommTimeout 60
        FcgidBusyTimeout 60
        MaxRequestLen 10485760
    </IfModule>
</VirtualHost>


Looking forward to your responses.

Kind regards,
 jonas

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux