HOWTO: PHP 5 CLI to PHP 5 CGI + suPHP

[Exaweb]

The new php.ini file is not DirectAdmins editor. To do this, simply add:

/usr/local/etc/php5/cgi/php.ini=user=root&group=root&permission=644

to the bottom of /usr/local/directadmin/data/templates/edit_files.txt

Or run this perl code to update the existing one (will remove the old php.ini):

perl -pi -e 's#/usr/local/lib/php.ini.*#/usr/local/etc/php5/cgi/php.ini=user=root&group=root&permission=644#' /usr/local/directadmin/data/templates/edit_files.txt

 

[aED]

Followed the how to and then squirrelmail stops working Phpmyadmin works fine.

Here's the error that is shown

By the SquirrelMail Project Team
ERROR
Preference file, /var/www/html/squirrelmail/data/admin.pref, could not be opened. Contact your system administrator to resolve this issue.

 

[nobaloney]

The file needs to be owned by user apache and group webapps, and it needs to be set for rw access for the group.

Jeff

 

[aED]

It is already owned by webapps does it really need to be owned by apache and group webapps... Im still learning about this things can you explain to me why?

By the way can I ask another question?

Which would you prefer this configuration or this http://www.directadmin.com/features.php?id=961 to make your server more secure?

 

[nobaloney]

It is already owned by webapps does it really need to be owned by apache and group webapps... Im still learning about this things can you explain to me why?

I responded based on looking at one of my servers. No, webapps should be good enough, but the symptom you presented was resolved a few days ago on a new server for a client by doing what I suggested you do.

By the way can I ask another question?

Which would you prefer this configuration or this http://www.directadmin.com/features.php?id=961 to make your server more secure?

Unfortunately you're not going to get a definitive response from me. We use our own scripts and procedures as part of a hardening service we offer which takes several hours to perform per server. All hardening advice probably works for the person who posted it; in the approximately 28 years I've been managing various unix and linux flavors I've come up with some of my own ideas .

Jeff

 

[aED]

I recently decided to switch from using PHP CLI
If a customer wants to use cronjobs they need to add the php.ini in the cron command:

/usr/local/bin/php -c /usr/local/directadmin/data/users/accountname/php/php.ini /home/accountname/domains/domainname/public_html/filetocron.php

I think there is a problem when using this. What if youv'e disabled some functions in php or wanted php to load a module using the main php.ini. Using That command above would only load the php.ini that only has the openbasedir values which means all the functions youv'e disabled are now enabled. They can now execute those functions using your crontab.

If my assumptions are wrong please correct me.

I just executed

these two commands and they have different result

php -v

PHP 5.2.12 (cli) (built: Dec 22 2009 14:35:11)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with the ionCube PHP Loader v3.3.7, Copyright (c) 2002-2009, by ionCube Ltd., and
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

php -v -c /usr/local/directadmin/data/users/accountname/php/php.ini

PHP 5.2.12 (cli) (built: Dec 22 2009 14:35:11)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

It doesn't load some of the extensions specially the ioncube loader which I need.

Does PHP load other php.ini file when the -c option is used other than the file at /usr/local/etc/php5/cgi/php.ini is there any other php.ini files that I can check?

 

[aED]

I tried running this

/usr/local/bin/php -c /usr/local/directadmin/data/users/user/php/php.ini /home/domain/domains/domain.com/public_html/info.php>>/test.log

And it outputs the data to test.log and yes it only loads the php.ini that only contains the open_basedir value so the extensions dir is not set in the correct place additional extensions are not loaded disabled functions are not disabled. Is there any thing I need to do to fix this?

Also what if the user creates his own ini file in his own public_html directory and tried to load that using the -c function would that work?

 

[yatoula]

Hi, i have a new serveur Débian and directadmin.
For this tutorial : http://www.directadmin.com/forum/showpost.php?p=148710&postcount=1
it's not possible to create one if there are no domaine and user in directadmin. Because me stop at

We need to reset ownership of files as suPHP won't allow access to ones owned by apache (they way the CLI version of PHP works)
Code:

ls -l /home | grep '^d' | awk '{system("chown -R " $3 ":" $4 " /home/" $9 "/domains")

It's good ?
I do not understand all the rest, but it seems that there are points where there are already users?
Thank you (might help novices)

 

[yatoula]

Hi, i have a problem with this line, in my folder home in mysql , lost+found ans temp i don't have a folder domains ?

and if i change

find the open_basedir line and change to:
Code:

open_basedir = /var/www/html/:/tmp/

i have a error in my template Capri ?
Thanks

 

[Exaweb]

After the Multi-IP feature the vhost-templates have been updated. In order to get this new feature to work, you have to update your templates. You just have to repeat some steps from the tutorial to update the templates:



copy VirtualHost templates to custom directory so they are not overwritten when DirectAdmin updates

cp /usr/local/directadmin/data/templates/virtual_host2* /usr/local/directadmin/data/templates/custom/

change VirtualHost containers to look for php.ini override

nano /usr/local/directadmin/data/templates/custom/virtual_host2.conf
nano /usr/local/directadmin/data/templates/custom/virtual_host2_sub.conf
nano /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf
nano /usr/local/directadmin/data/templates/custom/virtual_host2_secure_sub.conf

add this after the ErrorLog

|*if SUPHP="1"|
        SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/|USER|/php/
|*endif|

rewrite httpd configs for current users

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

 

[993ti]

I'm currently trying this but am stuck at

ls -l /home | grep '^d' | awk '{system("chown -R " $3 ":" $4 " /home/" $9 "/domains")}'

I get this when doing that: chown: cannot access `/home//domains': No such file or directory

Sooo, i did something stupid as usual and did this:

ls -l /home | grep '^d' | awk '{system("chown -R " $3 ":" $4 " /home/admin/domains")}'

Now i can't access my sites with ftp
They're still there but no ftp anymore.
Still don't work with CGI either.
So, i'm using CLI again until this is solved.

Am i missing something (besides a brain)?
Thanks in advance.

 

[993ti]

Managed to get the ftp going again but still no luck converting from CLI to CGI.
I tried lots of things but no luck.
It always throws a 500 error even if permissions are set correctly.
totally lost now.
Must be the part where i'm stuck.

 

[ajo]

This is how I fixed the same error: The issue was due to some of the files have incorrect permissions and ownerships.

------------------
cd /var/www/html/squirrelmail-1.4.21/data

chown webapps.webapps ./* -R

find ./ -type f -exec chmod 644 {} \;
------------------

Regards,
Ajo

 

[.klug]

Did somebody modify the user_create_post to set the open_basedir for each domain instead of the account ?

 

[blustic]

It's a good solution, but what about cgi script?

Because today i have found someone has made the following :

Create .htaccess with the following content :

Options +FollowSymLinks
DirectoryIndex seees.html
Options +Indexes
Options +ExecCGI
AddType text/plain .php
AddHandler server-parsed .php
Addhandler cgi-script .gif


<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

and has rename script.cgi to script.gif & chmod the script.gif to 755 .

and all is done, everything works even when I disabled the cgi on the account ?!

this script is the famous cgi-telnet

So, any idea to disable cgi?

edit: I found a temporary solution :

chmod 750 /usr/bin/perl

But it disable completly cgi scripts, so how to make a chroot or a restriction like an openbase_dir for CGI/Perl script?

 

[DJSnels]

I've used this guide to switch to suPhp, but i have one problem:

i have a subdomain for downloading files (download.domain.com) with a .htaccess file in it

Options +Indexes

but this doesn't seem to work anymore (403 forbidden)

the second thing:
i was hoping to see usernames in stead of apache running httpd, but that isn't the case. I remember i had a suPhp server one where i could see which users where running apache...

 

[zEitEr]

OK, make sure, your customers are running PHP-CGI

Create a phpinfo.php file in a public_html directory of any domain and put there the following lines:

<?php
var_dump(exec('id'));
phpinfo();

And open in a browser. What you see there in the very top line and line with Server API?

Note, if you see

Server API CGI/FastCGI

then you've got suPHP installed and running OK.

And what user ID,name you see in the very top? Is that Apache?

 

[DJSnels]

string(53) "uid=502(id00011) gid=504(id00011) groups=504(id00011)"

Server API CGI/FastCGI

looks fine to me

but #top returns these:

6825 apache 20 0 63244 4648 1624 S 2.0 0.5 0:00.06 httpd
6777 apache 20 0 63260 4696 1628 S 0.7 0.5 0:00.02 httpd


Edit:
i have the following errors for subdomain download.domain.com concerting .htaccess:
[Sat Aug 11 12:34:55.842291 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.842400 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912782 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912831 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable

no i've created an new subdomain, with no .htacces, and i got the same errors:
[Sat Aug 11 12:34:55.842291 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.842400 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912782 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable
[Sat Aug 11 12:34:55.912831 2012] [core:crit] [pid 6850] (13)Permission denied: [client 83.119.98.234:59435] AH00529: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/admin/domains/' is executable

 

[zEitEr]

but #top returns these:

Apache still has got some processes running under user apache, so that's OK.

That's must be a permissions issue, so check:

ls -ld /home/admin/domains/<domain_name>/public_html/
ls -ld /home/admin/domains/<domain_name>/
ls -ld /home/admin/domains/
ls -ld /home/admin/

 

[wanener]

Hi
im almost new in linux and directadmin world

i want to tel my story from the beginning so you can understand my problem completely

we have a hosting environment and run some websites on our server
we start using directadmin in cli mode
and because we have some important websites that they run with php 5.2 and zend and surceguardian
we decide to use cli with php5.2.17
but after a few day we find that we get abnormal errors on our website that some of them run joomla CMS
the main problem was that every module and component in server create directories with apache:apache permission
on a thread i read that this problem cause of CLI and if i switch to CGI this problem will solve
so i tried another topic and then this topic

but at the end when i tried to start httpd at the end i get the following error :


Starting httpd: Syntax error on line 26 of /etc/httpd/conf/extra/httpd-directories.conf:
Invalid command 'suPHP_UserGroup', perhaps misspelled or defined by a module not included in the server configuration


please help me


another question is that
someone told me that CLI is safer than CGI
is this true ?
if yes
how we secure CGI ?
and how we could run CLI with solved the ownerermission problem ?
which one you recommend/prefer as a hosting service provider ?

thank you