0

I am setting up a suexec environment with Apache2 and PHP 7.0 with FastCGI.

I have installed everything the normal way

Aptitude install libapache2-mod-fcgid apache2-suexec-custom
A2enmod suexec

My server has following structure:

  • There are users who have their websites in /home/username/public_html/ (linux user "username")
  • and there is a main website which has its docroot in /data/www/ (user "homepage").

SuEXEC works so far, but there is a major problem: for some reason, suEXEC queries /etc/apache2/suexec/www-data instead of /etc/apache2/suexec/username , therefore I can only have my website at /data working, or the websites at /home working, but not both. I do not understand that, since no script on my server is owned by www-data.

/etc/apache2/suexec/www-data (unchanged, since I don't use www-data)

/var/www
public_html/cgi-bin

/etc/apache2/suexec/homepage

/data
www/cgi-bin

/etc/apache2/suexec/userXYZ

/home/userXYZ
public_html/cgi-bin

/data/www/cgi-bin/php-fcgi

#!/bin/sh
export PHPRC="/etc/php/7.0/cgi"
exec /usr/bin/php-cgi

/home/userXYZ/public_html/cgi-bin/php-fcgi

#!/bin/sh
export PHPRC="/etc/php/7.0/cgi"
exec /usr/bin/php-cgi

/etc/apache2/sites-enabled/...

<Directory /data/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    FCGIWrapper /data/www/cgi-bin/php-fcgi .php
    <FilesMatch \.php$>
        SetHandler fcgid-script
    </FilesMatch>
    Options +ExecCGI
</Directory>

<Directory /home/userXYZ/public_html/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    FCGIWrapper /home/userXYZ/public_html/cgi-bin/php-fcgi .php
    <FilesMatch \.php$>
        SetHandler fcgid-script
    </FilesMatch>
    Options +ExecCGI
</Directory>

<VirtualHost *:80>
        DocumentRoot "/home/userXYZ/public_html"
        SuexecUserGroup userXYZ userXYZ
        ServerName ...
</VirtualHost>

<VirtualHost *:80>
        DocumentRoot "/data/www"
        SuexecUserGroup homepage homepage
        ServerName ...
</VirtualHost>

So, when I access my main home (/data/www), it does not work since suexec/www-data.conf has its docroot at /var/www . If I change suexec/www-data.conf to /data , then the main homepage works. But then the users websites do not work, since they are located at /home . If I change www-data to /home , then my main homepage does not work, since it has its docroot at /data ... How can I avoid that suEXEC queries the www-data config, and instead query the correct user config?

Daniel Marschall
  • 803
  • 4
  • 9
  • 20

1 Answers1

1

According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785740:

The idea is to be able to have different apache2 processes running as different users be able to use different suexec configs.

Thus, if apache2 runs under www-data only the file /etc/apache2/suexec/www-data is being considered.

Victor-Philipp Negoescu
  • 26
  • 1