Re: mod_suexec with mod_userdir and fcgid (webapps in subdirs with separated user context)

Jonas Meurer <jonas@xxxxxxxxxxxxxxx> · Mon, 23 Apr 2018 15:40:30 +0200

Hello again,

maybe my previous mail was to verbose, or maybe simply nobody has an
idea. Still I'd like to give it a second try:

Do you have a good idea why php-cgi7.0 throws the following error when
used with mod_fcgid, mod_usermod and mod_suexec?

uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter cannot get
docroot information (/var/www/webapp1)

$ ls -al /var/www/webapp1
drwxr-xr-x 9 root root 4096 Jun 29  2014 .
drwxr-x---  2 webapp1 webapp1  4096 Nov  7 15:14 php-fcgi
drwxr-x---  2 webapp1 webapp1  4096 Apr 11  2015 www
[...]

The same setup works perfectly fine without mod_usermod (i.e. when the
whole VHost has a dedicated suexec user). Only with mod_usermod, we get
this strange error.

Cheers,
 jonas

Am 15.04.2018 um 12:26 schrieb Jonas Meurer:
> Hello list,
> 
> I try to make web applications available in subfolders of one
> VirtualHost, but each one in an isolated user context. All web apps are
> PHP applications and I use mod_fcgid to run them.
> 
> Unfortunately, SuexecUserGroup is not not allowed in Directory context,
> which would be by far the simples solution.
> 
> So to achieve my goal, I tried (and failed with) two different approaches:
> 
> 1. Using mod_userdir together with mod_suexec
> 2. ProxyPass to separate localhost vhosts for each app
> 
> Since the first approach seems much cleaner and more straight forward to
> me, I'd prefer that one.
> 
> Maybe you have other suggestions on how to achieve my goal?
> 
> ---
> 
> Now to the problem I ran into with my first approach:
> 
> I have UserDir enabled for system user 'webapp1' and the UserDir path
> set to '/var/www/*/www' (see the VirtualHost config below). This works
> as expected, I can access static content from within the UserDir.
> 
> Additionally, I have fcgid configured for the UserDir and apparently the
> php scripts are executed using suexec and php-cgi7.0. A suexec process
> is spawned by user 'webapp1' when requesting a php file, but it
> immediately turns into 'suexec <defunct>' (a zombie process).
> 
> In the apache2 error log shows:
> 
> uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter
> cannot get docroot information (/var/www/webapp1)
> 
> And the apache2 suexec log:
> 
> [fcgid:warn] [pid 30884:tid 140484201527040] (104)Connection reset by
> peer: [client 192.168.0.1:31937] mod_fcgid: error reading data from
> FastCGI server
> [core:error] [pid 30884:tid 140484201527040] [client 192.168.0.1:31937]
> End of script output before headers: index.php
> 
> 
> I double checked that all files under /var/www/webapp1 belong to
> user+group 'webapp1' and that they're accessible. I even recursively set
> world-readable permissions on the directory, which didn't change anything.
> 
> Do you have a good idea on why running php-cgi7.0 through fcgi with
> suexec and userdir results in this suexec error 'cannot get docroot
> information'?
> 
> Any hints and suggestions would be highly appreciated :)
> 
> The VirtualHost config (my current take) is as follows:
> 
> <VirtualHost *:443>
>     [...]
>     Userdir disabled
>     Userdir enabled webapp1
>     UserDir /var/www/*/www
> 
>     <IfModule fcgid_module>
>         <Directory /var/www/webapp1/www>
>             AddHandler fcgid-script .php
>             FCGIWrapper /var/www/webapp1/php-fcgi/php-fcgi-starter .php
>             Options +ExecCGI
>         </Directory>
> 
>         IPCConnectTimeout 20
>         IPCCommTimeout 60
>         FcgidBusyTimeout 60
>         MaxRequestLen 10485760
>     </IfModule>
> </VirtualHost>
> 
> 
> Looking forward to your responses.
> 
> Kind regards,
>  jonas
> 