DevHeads.net

mod_suexec with mod_userdir and fcgid (webapps in subdirs with separated user context)

Hello list,

I try to make web applications available in subfolders of one
VirtualHost, but each one in an isolated user context. All web apps are
PHP applications and I use mod_fcgid to run them.

Unfortunately, SuexecUserGroup is not not allowed in Directory context,
which would be by far the simples solution.

So to achieve my goal, I tried (and failed with) two different approaches:

1. Using mod_userdir together with mod_suexec
2. ProxyPass to separate localhost vhosts for each app

Since the first approach seems much cleaner and more straight forward to
me, I'd prefer that one.

Maybe you have other suggestions on how to achieve my goal?

Now to the problem I ran into with my first approach:

I have UserDir enabled for system user 'webapp1' and the UserDir path
set to '/var/www/*/www' (see the VirtualHost config below). This works
as expected, I can access static content from within the UserDir.

Additionally, I have fcgid configured for the UserDir and apparently the
php scripts are executed using suexec and php-cgi7.0. A suexec process
is spawned by user 'webapp1' when requesting a php file, but it
immediately turns into 'suexec <defunct>' (a zombie process).

In the apache2 error log shows:

uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter
cannot get docroot information (/var/www/webapp1)

And the apache2 suexec log:

[fcgid:warn] [pid 30884:tid 140484201527040] (104)Connection reset by
peer: [client 192.168.0.1:31937] mod_fcgid: error reading data from
FastCGI server
[core:error] [pid 30884:tid 140484201527040] [client 192.168.0.1:31937]
End of script output before headers: index.php

I double checked that all files under /var/www/webapp1 belong to
user+group 'webapp1' and that they're accessible. I even recursively set
world-readable permissions on the directory, which didn't change anything.

Do you have a good idea on why running php-cgi7.0 through fcgi with
suexec and userdir results in this suexec error 'cannot get docroot
information'?

Any hints and suggestions would be highly appreciated :)

The VirtualHost config (my current take) is as follows:

<VirtualHost *:443>
[...]
Userdir disabled
Userdir enabled webapp1
UserDir /var/www/*/www

<IfModule fcgid_module>
<Directory /var/www/webapp1/www>
AddHandler fcgid-script .php
FCGIWrapper /var/www/webapp1/php-fcgi/php-fcgi-starter .php
Options +ExecCGI
</Directory>

IPCConnectTimeout 20
IPCCommTimeout 60
FcgidBusyTimeout 60
MaxRequestLen 10485760
</IfModule>
</VirtualHost>

Looking forward to your responses.

Kind regards,
jonas

Comments

Re: mod_suexec with mod_userdir and fcgid (webapps

By jonas at 04/23/2018 - 09:40

Hello again,

maybe my previous mail was to verbose, or maybe simply nobody has an
idea. Still I'd like to give it a second try:

Do you have a good idea why php-cgi7.0 throws the following error when
used with mod_fcgid, mod_usermod and mod_suexec?

uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter cannot get
docroot information (/var/www/webapp1)

$ ls -al /var/www/webapp1
drwxr-xr-x 9 root root 4096 Jun 29 2014 .
drwxr-x--- 2 webapp1 webapp1 4096 Nov 7 15:14 php-fcgi
drwxr-x--- 2 webapp1 webapp1 4096 Apr 11 2015 www
[...]

The same setup works perfectly fine without mod_usermod (i.e. when the
whole VHost has a dedicated suexec user). Only with mod_usermod, we get
this strange error.

Cheers,
jonas

Am 15.04.2018 um 12:26 schrieb Jonas Meurer:

Re: Re: mod_suexec with mod_userdir and fcgid (web

By Luca Toscano at 04/24/2018 - 04:36

Hi Jonas,

2018-04-23 15:40 GMT+02:00 Jonas Meurer < ... at freesources dot org>:

Premise: I am super ignorant about suexec & C, but this snippet of code in
suexec.c seems to be the one returning the error:

if (getcwd(cwd, AP_MAXPATH) == NULL) {
log_err("cannot get current working directory\n");
exit(111);
}

if (userdir) {
if (((chdir(target_homedir)) != 0) ||
((chdir(AP_USERDIR_SUFFIX)) != 0) ||
((getcwd(dwd, AP_MAXPATH)) == NULL) ||
((chdir(cwd)) != 0)) {
log_err("cannot get docroot information (%s)\n",
target_homedir);
exit(112);
}
}

As far as I can see, this is what it tries to do:

- save the current working dir to 'cwd'
- change dir to "target_homedir", that should be in this
case /var/www/webapp1
- change dir to AP_USERDIR_SUFFIX, that if not re-defined should be
"public_html" (#define AP_USERDIR_SUFFIX "public_html" in suexec.h)
- set the variable 'dwd' (docroot working directory) to the above
- change dir back to cwd (current working directory)

So I'd try to add a public_html directory and see how it goes.

Hope that helps!

Luca

Re: Re: mod_suexec with mod_userdir and fcgid (web

By jonas at 05/09/2018 - 18:59

Hi Luca,

thanks for your valuable feedback. With your help I finally found a
solution. It feels like a dirty hack, but it works ;)

Am 24.04.2018 um 10:36 schrieb Luca Toscano:
Which seems like a bug to me. mod_userdir explicitly allows to change
the default path to userdir and suExec should take that into account
instead of hardcoding AP_USERDIR_SUFFIX at compile-time.

Indeed, that helped! I created /var/www/webapp1/public_html as empty
directory. Next error I got was:

[2018-05-10 00:27:34]: command not in docroot
(/var/www/webapp1/php-fcgi/php-fcgi-starter)

Which comes from the following code in suexec.c:

if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
log_err("command not in docroot (%s/%s)\n", cwd, cmd);
exit(114);
}

So next step was to replace the newly created directory with a symlink:

$ ln -s php-fcgi /var/www/webapp1/public_html

and replace

FCGIWrapper /var/www/webapp1/php-fcgi/php-fcgi-starter .php

with

FCGIWrapper /var/www/webapp1/public_html/php-fcgi-starter .php

in the VHost config. Unbelievable, but that finally worked. My PHP apps
now run with php-fcgi as the userdir user 'webapp1' by suExec. Yay!

So it seems like I have to trick suExec twice to get it working with
mod_userdir and a custom userdir path:

1. create subdir public_html inside home directory of my suExec user
2. make public_html a symlink to the dir where the php-fcgi starter
script resides and run it from theere as suExec otherwise refuses to
run the script.

Thanks a ton. I'm still not 100% sure whether I do it the right way, but
it occurs to me as if I just discovered two bugs in Apache2 suExec that
make crazy workarounds necessary.

What do you think?

Cheers,
jonas

Re: Re: mod_suexec with mod_userdir and fcgid (web

By Luca Toscano at 05/23/2018 - 14:00

Hi Jonas,

2018-05-10 0:59 GMT+02:00 Jonas Meurer < ... at freesources dot org>:
Sorry for the lag in answering. I reviewed a bit the code and found out
that this is a pretty common use case (looking for AP_USERDIR_SUFFIX and
suexec in Google revealed a ton of material). suexec is compiled separately
from httpd, since as you can see from the source it gets a main() by
itself. This means that whatever you set in the httpd's config will not
affect AP_USERDIR_SUFFIX, that is a parameter compiled with suexec (you can
tune it using httpd's configure though at build time, but once you create
the suexec binary it is done). As far as I can see there are suexec
variant's shipped with some distributions that allow a suexec config file,
but I don't have a lot of experience with systems like these.

In this list there should be people running into the same issue that you
encountered, let's see if another ping triggers some answers :)

Hope that helps!

Luca