0

I am trying to replace SuPHP with FastCGI. Earlier, I had folders with different owners and groups. Each group had www-data as a member as well. When any php file was run using the browser, it was run as the owner of the file. So if a file was owned by user A (Group A - www-data and A as members), it was executed as user A

shell_exec('whoami') => return A

Now, I installed fastcgi and have configured it to run PHP files.

Here is my php5-fpm.conf file

<IfModule mod_fastcgi.c>
                AddHandler php5-fcgi .php
                Action php5-fcgi /php5-fcgi
                Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
                FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
        </IfModule>

My issue is, now when I run the same file which is owned by A, 

shell_exec('whoami') => return www-data

What am I doing wrong?

Kshitiz
  • 2,852
  • 5
  • 32
  • 41

2 Answers2

1

You can replace suPHP with FastCGI+PHP-FPM but you'll need to setup a FPM pool per user and a virtual host per user (as you will need separate FastCgiExternalServer directives per user/pool and those are only valid per-virtualhost).

For example, in a given virtual root:

<FilesMatch "\.php$">
  SetHandler php5-fcgi
</FilesMatch>
Action php5-fcgi /php5-fcgi-username
Alias /php5-fcgi-username /usr/lib/cgi-bin/php5-fcgi-username
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi-username -socket /var/run/php5-fpm-username.sock -pass-header Authorization

and then in the FPM pool configuration you can use something like:

listen = /var/run/php5-fpm-username.sock
listen.owner = www-data
listen.group = www-data
listen.mode=0660
user = ownerusername
group = ownerusergroup
pm = ondemand
pm.max_children = 30
pm.process_idle_timeout = 120s
pm.max_requests = 50000
catch_workers_output = yes

The listen.owner and listen.group FPM pool parameters are the user/group of the web server (that user is the only one allowed to connect to the PHP-FPM socket).

The user and group FPM pool parameters are the user and group used to run the PHP scripts.

If you have 10 users, you'll need 10 FPM pools.

Performance is a much better with FastCGI+PHP-FPM when having lots of hits but configuration tuning is harder. For a site/application with not-so-many hits per second, I really would not bother with FastCGI and PHP-FPM. Besides, with suPHP you get per-user php.ini that you can edit without restarting the web server, with PHP-FPM all pools share the same php.ini and you need to restart the FPM daemon to reload it.

MV.
  • 947
  • 1
  • 11
  • 14
0

whoami just shows you your current user, under which the current script is running.

In ubuntu via fastcgi you run your scripts as www-data user, not as a user who owns that file. This is by design, it helps you to restrict web scripts from accessing the files they don't allowed to access. If you need to change this behavior, you need to change user apache is running somewhere in config files.

On my system this is specified in /etc/apacyhe2/envvars by setting these two environment variables:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
baldrs
  • 2,132
  • 25
  • 34
  • Ok, so with fastcgi I cannot replicate the suPHP behavior? All I need is to run the PHP file as the owner (which was why I was using suPHP). Changing the apache user does not solve my problem. I need to run the PHP file not as a single user, each file needs to be run as the user who is the owner – Kshitiz Sep 05 '14 at 08:53
  • No, you cant. It is suPHP's purpose to provide such behavior, which is rather unusual. You should continue using suPHP if you need it. – baldrs Sep 05 '14 at 09:15
  • Oh ok, but I found this thread http://www.fastcgi.com/archives/fastcgi-developers/2011-May/000717.html which talked about the exact same thing and the guy was able to resolve it. I am not sure how though! – Kshitiz Sep 05 '14 at 10:09
  • Why, in the first place, do you need to run php files as it's owner? – baldrs Sep 05 '14 at 10:21
  • http://www.fastcgi.com/archives/fastcgi-developers/2011-May/000720.html "Resolved - php 5.3.3 must be configured with --enable-fpm (FastCGI Process Manager)." I need to create a mass virtual hosting environment and suPHP did the job for me by allowing all files to be run by their specific users... – Kshitiz Sep 05 '14 at 10:23