1

I have a server setup where new linux users are created using (PHP)

shell_exec ( '/usr/sbin/useradd ' . $username );
exec ('usermod -a -G ' . $username . ' '. $username); #add user into the usergroup
exec ('usermod -a -G ' . $username . ' www-data'); #add usergroup with the www-data

And then the user script changes the owner and group of the files to this owner. The server is setup with suPHP which then allows these files to be run as the owner.

This setup worked fine with Apache 2.2 but is breaking in Apache 2.4. Everything works fine except when I try to oepn the files, it gives a 403 forbidden error. Restarting apache after the user is added fixes the issue but that is not a viable solution for me. The users are added using a web server and hence I need to be able to do this without having to reload/restart apache everytime.

I have searched for serveral hours and tried to fix the issue but haven't been able to do so! I am running ubuntu 14.04 and I am not able to downgrade to apache 2.2 as well.

Kshitiz
  • 119
  • 6
  • Is anything recorded in either the Apache error log or do you have AppArmor enabled (check with `aa-status`)? – HBruijn Sep 05 '14 at 14:06
  • Error log just shows AH00132: file permissions deny server access – Kshitiz Sep 05 '14 at 14:13
  • I don't have AppArmor enabled – Kshitiz Sep 05 '14 at 14:14
  • That error is typically an indication that the file permissions on the PHP script are incorrect. – HBruijn Sep 05 '14 at 14:32
  • Yeah I know... but if that was the case, restarting apache should not affect anything! – Kshitiz Sep 05 '14 at 14:47
  • Also to add, I have same file permissions on different files with different owners and it works perfectly fine.. what I have narrowed it down to is that adding a new user and assigning it as owner for the files inside the www folder (apache folder) requires a restart. I didn't face this issue with Apache 2.2 – Kshitiz Sep 05 '14 at 15:19

1 Answers1

2

Every time you add yourself to a group you need to log out and log back in for changes to take effect. The same thing is happening here, by restarting Apache you allow it to "log back in" and be in the user's group which then allows it to read and serve the user's files.

  • Oh ok, but same settings used to work fine with apache 2.2 as far as I remember. I started having this issue only after I HAD to upgrade to Ubuntu 14.04 and Apache 2.4. Is there a way to bypass this? – Kshitiz Sep 06 '14 at 13:33
  • A way would be to have every user be part of `www-data` group, but I'm not sure about the security of this since any user can read any other user's files. –  Sep 06 '14 at 14:30
  • Yeah, I can't do that.. Is there a way to load the group changes manually? I tried searching a lot and only relevant questions I found were regarding "Adding users without logging out" and they are more about keeping the session and changing the logged in group using "newgrp " but that doesn't work in my case.. – Kshitiz Sep 08 '14 at 06:17