0

I have configured an Apache 2.2 web server with suEXEC following a couple of tutorials after reading the official documentation. I'll put a short summary here:

# Install and enable Apache, suEXEC, FastCGI and PHP5
aptitude install apache2-mpm-worker libapache2-mod-fcgid apache2-suexec php5-cgi
a2enmod fcgid suexec actions

# Create a user with its directory configured to host a website
adduser -s/bin/false --home /var/www/crm --ingroup ftpclients crm
mkdir -p /var/www/crm/public_html

# Assign permissions after copying the website
chown -R crm:ftpclients /var/www/crm
find /var/www/crm -type -f -exec chmod 0640 {} \;
find /var/www/crm -type -d -exec chmod 0750 {} \;

# Customize FastCGI module
<IfModule mod_fcgid.c>
  AddHandler  fcgid-script .fcgi
  FcgidConnectTimeout 20
  PHP_Fix_Pathinfo_Enable 1
</IfModule>

# Customize PHP ini at /etc/php5/cgi/php.ini
cgi.fix_pathinfo=1

# Setup FastCGI wrapper for PHP
mkdir -p /var/www/php-fcgi-scripts/crm
touch /var/www/php-fcgi-scripts/crm/php-fcgi-starter # see content below
chown www-data:www-data /var/www/php-fcgi-scripts
chown -R crm:ftpclients /var/www/php-fcgi-scripts/crm
chmod 0755 /var/www/php-fcgi-scripts/crm/php-fcgi-starter

# Contents of php-fcgi-starter
#!/bin/sh
PHPRC=/etc/php5/cgi/
export PHPRC
export PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_CHILDREN=8
exec /usr/lib/cgi-bin/php

# Create virtual host
<VirtualHost *:80>
  ServerAdmin me@example.com
  ServerName crm.example.com

  DocumentRoot /var/www/crm/public_html

  ErrorLog /var/log/apache2/crm.log
  CustomLog /var/log/apache2/crm.log combined

  <IfModule mod_fcgid.c>
    SuexecUserGroup crm ftpclients
    <Directory /var/www/crm/public_html>
      Options +ExecCGI +FollowSymlinks
      AllowOverride All 
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/crm/php-fcgi-starter .php
    </Directory>
  </IfModule>
</VirtualHost>

With all this PHP executes fine, but Apache returns a 403 response for every asset: CSS files, images, etc. I had to change permissions to 644 and 755 to allow content to be accessed.

My question is: isn't suEXEC supposed to make Apache run as the user specified (crm in this case)? Why then is it necessary to relax permissions in order to access to directories and images?

I have executed ps aux and seen that crm is actually the owner of several /usr/lib/cgi-bin/php processes.

elitalon
  • 209
  • 5
  • 15

1 Answers1

0

Apache only uses suexec for running external processes. It is important to note that all other file access is still done by the httpd worker, which, in most cases, is running as the apache account (whatever that is on your system). It's possible that even CGI scripts need to be readable by the apache account; I'm not sure how many of the security checks performed by suexec are done before it changes to the target user account. PHP works because its executed via the wrapper script, so only the wrapper needs to be world-readable.

To really achieve the behavior you're expecting, you'd need to use mpm-itk and you should be aware that mpm-itk has a weaker security model than the standard Apache MPMs. (Part of the reason Apache processes run as a dedicated user is so that a security vulnerability in the Apache code cannot easily be turned into a root compromise on the machine. In order to achieve its goals, mpm-itk runs the main Apache process as root, which makes your entire system more vulnerable to exploits discovered in its code.)

asciiphil
  • 3,086
  • 3
  • 28
  • 53
  • This is precisely what we ended up doing, because it's an internal server for development purposes and security wasn't a big deal – elitalon May 07 '13 at 13:56