HOWTO: PHP 5 CLI to PHP 5 CGI + suPHP

Exaweb

Verified User
Joined
Nov 6, 2009
Messages
17
Location
Gram, Denmark
The new php.ini file is not DirectAdmins editor. To do this, simply add:

Code:
/usr/local/etc/php5/cgi/php.ini=user=root&group=root&permission=644
to the bottom of /usr/local/directadmin/data/templates/edit_files.txt

Or run this perl code to update the existing one (will remove the old php.ini):
Code:
perl -pi -e 's#/usr/local/lib/php.ini.*#/usr/local/etc/php5/cgi/php.ini=user=root&group=root&permission=644#' /usr/local/directadmin/data/templates/edit_files.txt
 

aED

Verified User
Joined
Dec 20, 2009
Messages
42
Followed the how to and then squirrelmail stops working Phpmyadmin works fine.

Here's the error that is shown

By the SquirrelMail Project Team
ERROR
Preference file, /var/www/html/squirrelmail/data/admin.pref, could not be opened. Contact your system administrator to resolve this issue.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
The file needs to be owned by user apache and group webapps, and it needs to be set for rw access for the group.

Jeff
 

aED

Verified User
Joined
Dec 20, 2009
Messages
42
It is already owned by webapps does it really need to be owned by apache and group webapps... Im still learning about this things can you explain to me why?

By the way can I ask another question?

Which would you prefer this configuration or this http://www.directadmin.com/features.php?id=961 to make your server more secure?
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
It is already owned by webapps does it really need to be owned by apache and group webapps... Im still learning about this things can you explain to me why?
I responded based on looking at one of my servers. No, webapps should be good enough, but the symptom you presented was resolved a few days ago on a new server for a client by doing what I suggested you do.
By the way can I ask another question?

Which would you prefer this configuration or this http://www.directadmin.com/features.php?id=961 to make your server more secure?
Unfortunately you're not going to get a definitive response from me. We use our own scripts and procedures as part of a hardening service we offer which takes several hours to perform per server. All hardening advice probably works for the person who posted it; in the approximately 28 years I've been managing various unix and linux flavors I've come up with some of my own ideas :).

Jeff
 

aED

Verified User
Joined
Dec 20, 2009
Messages
42
I recently decided to switch from using PHP CLI
If a customer wants to use cronjobs they need to add the php.ini in the cron command:
Code:
/usr/local/bin/php -c /usr/local/directadmin/data/users/accountname/php/php.ini /home/accountname/domains/domainname/public_html/filetocron.php
I think there is a problem when using this. What if youv'e disabled some functions in php or wanted php to load a module using the main php.ini. Using That command above would only load the php.ini that only has the openbasedir values which means all the functions youv'e disabled are now enabled. They can now execute those functions using your crontab.

If my assumptions are wrong please correct me.

I just executed

these two commands and they have different result

php -v
PHP 5.2.12 (cli) (built: Dec 22 2009 14:35:11)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with the ionCube PHP Loader v3.3.7, Copyright (c) 2002-2009, by ionCube Ltd., and
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies
php -v -c /usr/local/directadmin/data/users/accountname/php/php.ini
PHP 5.2.12 (cli) (built: Dec 22 2009 14:35:11)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

It doesn't load some of the extensions specially the ioncube loader which I need.

Does PHP load other php.ini file when the -c option is used other than the file at /usr/local/etc/php5/cgi/php.ini is there any other php.ini files that I can check?
 

aED

Verified User
Joined
Dec 20, 2009
Messages
42
I tried running this

/usr/local/bin/php -c /usr/local/directadmin/data/users/user/php/php.ini /home/domain/domains/domain.com/public_html/info.php>>/test.log
And it outputs the data to test.log and yes it only loads the php.ini that only contains the open_basedir value so the extensions dir is not set in the correct place additional extensions are not loaded disabled functions are not disabled. Is there any thing I need to do to fix this?

Also what if the user creates his own ini file in his own public_html directory and tried to load that using the -c function would that work?
 

yatoula

New member
Joined
Sep 7, 2009
Messages
138
Location
France (Metz)
Hi, i have a new serveur Débian and directadmin.
For this tutorial : http://www.directadmin.com/forum/showpost.php?p=148710&postcount=1
it's not possible to create one if there are no domaine and user in directadmin. Because me stop at
We need to reset ownership of files as suPHP won't allow access to ones owned by apache (they way the CLI version of PHP works)
Code:

ls -l /home | grep '^d' | awk '{system("chown -R " $3 ":" $4 " /home/" $9 "/domains")
It's good ?
I do not understand all the rest, but it seems that there are points where there are already users?
Thank you (might help novices)
 

yatoula

New member
Joined
Sep 7, 2009
Messages
138
Location
France (Metz)
Hi, i have a problem with this line, in my folder home in mysql , lost+found ans temp i don't have a folder domains ?

and if i change
find the open_basedir line and change to:
Code:

open_basedir = /var/www/html/:/tmp/
i have a error in my template Capri ?
Thanks
 
Last edited:

Exaweb

Verified User
Joined
Nov 6, 2009
Messages
17
Location
Gram, Denmark
After the Multi-IP feature the vhost-templates have been updated. In order to get this new feature to work, you have to update your templates. You just have to repeat some steps from the tutorial to update the templates:



copy VirtualHost templates to custom directory so they are not overwritten when DirectAdmin updates
Code:
cp /usr/local/directadmin/data/templates/virtual_host2* /usr/local/directadmin/data/templates/custom/
change VirtualHost containers to look for php.ini override
Code:
nano /usr/local/directadmin/data/templates/custom/virtual_host2.conf
nano /usr/local/directadmin/data/templates/custom/virtual_host2_sub.conf
nano /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf
nano /usr/local/directadmin/data/templates/custom/virtual_host2_secure_sub.conf
add this after the ErrorLog
Code:
|*if SUPHP="1"|
        SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/|USER|/php/
|*endif|
rewrite httpd configs for current users
Code:
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
 

993ti

Verified User
Joined
May 4, 2007
Messages
89
I'm currently trying this but am stuck at
Code:
ls -l /home | grep '^d' | awk '{system("chown -R " $3 ":" $4 " /home/" $9 "/domains")}'
I get this when doing that: chown: cannot access `/home//domains': No such file or directory

Sooo, i did something stupid as usual and did this:
Code:
ls -l /home | grep '^d' | awk '{system("chown -R " $3 ":" $4 " /home/admin/domains")}'
Now i can't access my sites with ftp :(
They're still there but no ftp anymore.
Still don't work with CGI either.
So, i'm using CLI again until this is solved.

Am i missing something (besides a brain)?
Thanks in advance.
 

993ti

Verified User
Joined
May 4, 2007
Messages
89
Managed to get the ftp going again but still no luck converting from CLI to CGI.
I tried lots of things but no luck.
It always throws a 500 error even if permissions are set correctly.
totally lost now.
Must be the part where i'm stuck.
 

ajo

Verified User
Joined
Sep 18, 2009
Messages
25
Location
India
This is how I fixed the same error: The issue was due to some of the files have incorrect permissions and ownerships.

------------------
cd /var/www/html/squirrelmail-1.4.21/data

chown webapps.webapps ./* -R

find ./ -type f -exec chmod 644 {} \;
------------------

Regards,
Ajo
 

.klug

Verified User
Joined
Apr 3, 2011
Messages
17
Did somebody modify the user_create_post to set the open_basedir for each domain instead of the account ?
 

blustic

Verified User
Joined
May 26, 2006
Messages
78
Location
France
It's a good solution, but what about cgi script?

Because today i have found someone has made the following :

Create .htaccess with the following content :
Options +FollowSymLinks
DirectoryIndex seees.html
Options +Indexes
Options +ExecCGI
AddType text/plain .php
AddHandler server-parsed .php
Addhandler cgi-script .gif


<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
and has rename script.cgi to script.gif & chmod the script.gif to 755 .

and all is done, everything works even when I disabled the cgi on the account ?!

this script is the famous cgi-telnet

So, any idea to disable cgi?

edit: I found a temporary solution :
chmod 750 /usr/bin/perl
But it disable completly cgi scripts, so how to make a chroot or a restriction like an openbase_dir for CGI/Perl script?
 
Last edited:

DJSnels

Verified User
Joined
Jun 17, 2011
Messages
21
I've used this guide to switch to suPhp, but i have one problem:

i have a subdomain for downloading files (download.domain.com) with a .htaccess file in it
Code:
Options +Indexes
but this doesn't seem to work anymore (403 forbidden)

the second thing:
i was hoping to see usernames in stead of apache running httpd, but that isn't the case. I remember i had a suPhp server one where i could see which users where running apache...
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
OK, make sure, your customers are running PHP-CGI

Create a phpinfo.php file in a public_html directory of any domain and put there the following lines:

PHP:
<?php
var_dump(exec('id'));
phpinfo();
And open in a browser. What you see there in the very top line and line with Server API?

Note, if you see

Server API CGI/FastCGI
then you've got suPHP installed and running OK.

And what user ID,name you see in the very top? Is that Apache?
 

DJSnels

Verified User
Joined
Jun 17, 2011
Messages
21
string(53) "uid=502(id00011) gid=504(id00011) groups=504(id00011)"

Server API CGI/FastCGI

looks fine to me

but #top returns these:

6825 apache 20 0 63244 4648 1624 S 2.0 0.5 0:00.06 httpd
6777 apache 20 0 63260 4696 1628 S 0.7 0.5 0:00.02 httpd


Edit:
i have the following errors for subdomain download.domain.com concerting .htaccess:
[Sat Aug 11 12:34:55.842291 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.842400 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912782 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912831 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable

no i've created an new subdomain, with no .htacces, and i got the same errors:
[Sat Aug 11 12:34:55.842291 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.842400 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912782 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912831 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
but #top returns these:
Apache still has got some processes running under user apache, so that's OK.

That's must be a permissions issue, so check:

Code:
ls -ld /home/admin/domains/<domain_name>/public_html/
ls -ld /home/admin/domains/<domain_name>/
ls -ld /home/admin/domains/
ls -ld /home/admin/
 

wanener

Verified User
Joined
Apr 16, 2012
Messages
23
Hi
im almost new in linux and directadmin world

i want to tel my story from the beginning so you can understand my problem completely

we have a hosting environment and run some websites on our server
we start using directadmin in cli mode
and because we have some important websites that they run with php 5.2 and zend and surceguardian
we decide to use cli with php5.2.17
but after a few day we find that we get abnormal errors on our website that some of them run joomla CMS
the main problem was that every module and component in server create directories with apache:apache permission
on a thread i read that this problem cause of CLI and if i switch to CGI this problem will solve
so i tried another topic and then this topic

but at the end when i tried to start httpd at the end i get the following error :


Starting httpd: Syntax error on line 26 of /etc/httpd/conf/extra/httpd-directories.conf:
Invalid command 'suPHP_UserGroup', perhaps misspelled or defined by a module not included in the server configuration


please help me


another question is that
someone told me that CLI is safer than CGI
is this true ?
if yes
how we secure CGI ?
and how we could run CLI with solved the owner:permission problem ?
which one you recommend/prefer as a hosting service provider ?

thank you
 
Top