# Apache2, PHP and SuExec

## VinzC

Hi.

I've installed Joomla (For those who don't know Joomla, it's a PHP content management system) under Apache 2.0 and 2.2. You can manage a Joomla Web site, say http://host/, using a URL like this http://host/administrator. However you also need to make certain directories and files under the /administrator directory writeable by the user account under which Apache runs if you want to manage a Joomla web site.

I hoped I could use Apache's SuExec to have PHP admin scripts run as the script files' owner but I haven't succeeded yet. And I'm wondering if I can use SuExec at all, hence my questions:

is SuEXec meant for CGI only?

If yes, can PHP scripts be run as CGI without changing the directory structure of a Joomla web site (I only want the administrative scripts under /administrator to run with their owner account)No need to say I'd like not to be required to open too many security holes...  :Wink:  Thank you for any hint or suggestion.

----------

## nativemad

Hi

I don't know if suexec can be used without cgi... And i'm also not shure, if it could be integrated with a directory-directive of apache... What is the reason to only su /administrator at all?!?  I would only recommend this, if you're really searching for trouble...  :Wink: 

i woudn't recommend suexec for joomla at all! 

I had it with fastcgid, php5 and suexec on some Domains for a while... The BIG problem is, that most joomla-components arent so well written, that they would respect the global-joomla-chmod directives... if you set there 755, the standart joomla will work. However, you must see, that only php will be su-ed! Apache itself will still run as apache! if an image is uploaded (via su-ed php), it will most likely not show up, because its only 700 or so and apache can't read it!  :Mad: 

Shure, you can hack all components to do a chmod, or run a cronjob or something, but i ended up with a chroot for every vhost...  :Wink: 

Good luck!

----------

## VinzC

Ow, goodness... I smelt it in fact... Add that the site is managed by Plesk, which also has its own lot of restrictions...

Thanks for your lights.

The reason why I wanted to su only the admin part is that uploading doesn't work, for instance, like you explained. Also, the configuration file is not writable. And I dislike to chmod it to 644, with apache the owner.

Second Plesk requires the owner of all the files be owned by an FTP user account and group, which doesn't allow me anything else than an su<something> solution. This restricts modes to 755/644 for directories/files.

We have already used Joomla on celeonet.fr and it seems they use either suExec or suPHP - the access rights on files are exactly the way it has to be with Plesk. So I thought it had to be possible...

I still have some questions:

does a CGI directory necessarily have to include the word cgi or can I make any directory a CGI? (I think the response is Yes, am I right?)

Do all PHP file have to be prefixed #!/path/to/php interpreter ? Can't a normal PHP file (for use with PHP SAPI) be used as a CGI as-is?

----------

## nativemad

The short answer: 1. yes, 2. no, normal php files are enough.

See here for a little description...  :Wink:  https://forums.gentoo.org/viewtopic-t-562947-highlight-fcgid.html

If you use some suexec-wrapper, all the files that are executed through the wrapper have to be owned by that sued-user. So this is normally the FTP-User, as the Files get the right permission if uploaded via ftp. But i was not able to force php to creat files (especially images!) with the right permissions... Even keeping the apache user in the ftp-group didn't helped much, as without any clear definition, php seems to create files as the user executing the script and sets 700 or similar... As said earlier, this only happens with thirdparty plugins, components and so on. But a plain Joomla isn't that much fun!   :Wink: 

If it's just one joomla site, i would try to hack it and chmod uploaded files.

Or if its more than one site/component that makes trouble, i would try some cron-magic...

I don't know if there is any clear solution for that... probably run each vhost as separate apache with user=ftpuser on a >1024 port with a reverse-proxy on port 80 in front?!?! 

Of course, if someone has a better solution, i would be happy to hear!   :Razz: 

----------

## VinzC

 *nativemad wrote:*   

> But i was not able to force php to creat files (especially images!) with the right permissions...

 

There is an option in Joomla global config to force chmod'ing on files and directories, is it what you're talking about?

 *nativemad wrote:*   

> I don't know if there is any clear solution for that... probably run each vhost as separate apache with user=ftpuser on a >1024 port with a reverse-proxy on port 80 in front?!?!

 

I might be able to do that on my personal Gentoo server but I have to reproduce it on a Fedora Core 4... which is less obvious to me  :Laughing:  . (FYI, the Joomla web site I'm talking about is installed by OVH. I wanted to clone it on my Gentoo server to take a grip on it and try fixing the various problems that we have together with Apache, FTP, Plesk, Joomla and security...)

----------

## VinzC

 *VinzC wrote:*   

> Do all PHP file have to be prefixed #!/path/to/php interpreter ?

 

 *nativemad wrote:*   

> no, normal php files are enough.

 

So I don't need to turn on the execution bit either, do I?

----------

## nativemad

As far as i know, the X-bit isn't necessary as it will be startet like /usr/bin/php5-cgi /var/www/........./index.php through the wrapper!   :Wink: 

--edit, as i've seen your post a bit too late...  :Wink: 

 *Quote:*   

> There is an option in Joomla global config to force chmod'ing on files and directories, is it what you're talking about? 

 

Yes, exactly! At least, i know that some versions of CB and zoom don't recognize that value!

Be aware, that i also had to hack around to make for example joomlaXplorer work behind a reverse-proxy! 

If its really just one Site, i would just try it with a cron job. perhaps via inotify and anacron or something...  :Wink: 

Also, be aware that there are some differences between fastcgid and fcgid! The fcgid is the newer one, supported by gentoo, but i don't know if FC4 has such a recent version....Last edited by nativemad on Mon Nov 19, 2007 10:37 am; edited 1 time in total

----------

## VinzC

Ok, now I'm digging documentations for fcgid and PHP... Whole bunch of information indeed  :Shocked:  . I feel like the learning curve is raising again, I like challenges like this  :Wink:  .

----------

## nativemad

Yes, there are a lot of docs around, the only difficulty is to find a complete one, because there are so many ways how this can be done.... It only gets a bit frustrating, if you always have to hack around to make things work! Its good to have multible choices how things can be done, but sometimes its just too much and you get the feeling that the way  you choosed is not the way most people are going...  :Wink: 

Sorry, i just got a bit tierd about telling customers that they should ask you, to make simple things (mostly OS php-apps) work. And that this is a security-feature and not a system-bug or so!

I wonder how this is done on really big hosting plattforms!?! There are some Hosters that offers joomla as package and so!?! Is this on a normal vhost/mod_php/apache without anything?!? I am always a bit scared about old addons on some sites and the logs they generate, if someone (script-kiddie?) finds it... 

BTW: do you have the whole server for that joomla-Site, or is it just one vhost?

----------

## VinzC

 *nativemad wrote:*   

> BTW: do you have the whole server for that joomla-Site, or is it just one vhost?

 

No, Just the vhosts. For now there are only two virtual hosts but there should be more in the future. We set it that way in case we'd want something else than Joomla. Besides Plesk doesn't know about Joomla - there isn't even a way to act upon Apache configuration using Plesk, only global, visual "macros" (I'd say) to prepare the disk and directories for hosting a complete web site.

Once you tweak config files by hand, you must "tell" Plesk to take your changes into account... And changes you made to config files controled by Plesk are... overwritten! Newbie's warning, of course...

[The Geek's Rant]Damn, I already dislike Joomla (ever tried to validate a Joomla web site against W3C HTML validator? try once...) and I'm certainly not glancing at Plesk with a friendly eye...  :Laughing: 

IMHO Plesk is great at providing eye-candy. But the one who, like me, is used to put his hands in the dirt will be quite disappointed.[/The Geek's Rant]

Anyways, I'll keep trying. I'll post as soon as I get to something... pleasant, you know what I mean  :Wink:  .

----------

## nativemad

 :Razz: 

This reminds me that when you want to have something done right, you have to do it yourself!   :Wink: 

After some research about hostingpanels, we decided to do it with our own scritps!  :Wink: 

At least you then know that its just pebkac!  :Rolling Eyes: 

Isn't it always a torture with a cms and w3c?   :Wink: 

Ok, if there are more vhosts to come, then anacron/inotify isn't an option... 

Perhaps a normal cronjob every minute or so with a good find&chmod script over all webroots can do that. But even then, a minute is a long time if you're uploading pictures, but it can also be quite short to scan all webroots...

i really wonder if there is a magic option in php that tweaks the default permissions?!?  :Rolling Eyes: 

----------

