phpsuexec issues

[Secret Agent]

I enabled phpsuexec support on my server and ran the following:

scripts/chownpublichtmls
find /home -perm 777 -type d
find /home -perm 777 -type f
find /home -perm 777 -exec chmod 755 {} \;

Clients are no longer able to access the mailing list archives.

#1

This URL is encountering the error code 500 that your note warned about, however the script is not contained in my home directory. I assume that you have aliased this to point to a server-wide installation.

#2

Existing symbolic links are no longer working. Is there a work around for this?

The index.html file is simply a symbolic link to passwordmaker.html, which is simply an HTML page with permissions of 644. I am not sure why this is now giving me an HTTP error code of 500

drwxr-xr-x 2 dmorlitz dmorlitz 4.0K Feb 14 19:34 password/

#3

Client gets an error 500 on his www.domain.com

All I can see in the error log is

[Mon Mar 20 09:13:47 2006] [error] [client 68.142.xxx.xxx] Premature end of
script headers: /home/client/public_html/client/index.php

index.php is a symlink 2 levels deep.

Code:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@client.com.es and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I tailed /usr/local/apache/logs/suexec_log

[2006-03-20 12:20:24]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: index.php
[2006-03-20 12:20:24]: error: cannot stat program: (index.php)

[2006-03-20 12:20:29]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: viewtopic.php

[2006-03-20 12:20:57]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: viewforum.php
[2006-03-20 12:20:57]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: demo.php


htacess

<Limit GET HEAD POST>
order allow,deny
deny from cogentco.com
deny from anonymizer.com
deny from wideopenwest.com
deny from proxad.net
deny from sexnet24.tv
deny from frb.org
deny from 38.113.234.
allow from all
</LIMIT>

# BLOCK blank referrer -AND- UA except for HEAD
RewriteCond %{REQUEST_METHOD} !^HEAD$
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* bad_referrer.php [L]

# BLOCK *Faked* blank referer -OR- UA
RewriteCond %{HTTP_REFERER} ^-$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$
RewriteRule .* bad_referrer.php [L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>


htaccess.org

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.client.com
AuthUserFile /home/client/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/client/public_html/_vti_pvt/service.grp

[dave9000]

sounds like it can not find index.php

what happens when you run this from shell

php /home/client/public_html/client/index.php

also any file that is called by phpsuexec must be chown client:client <filename>

[Secret Agent]

root@server2 [/home/client/public_html]# php /home/client/public_html/client/index.php
Could not open input file: /home/client/public_html/client/index.php

[dave9000]

root@server2 [/home/client/public_html]# php /home/client/public_html/client/index.php
Could not open input file: /home/client/public_html/client/index.php

I would suggest blowing away the symlink and recreating it and then chown client:group both the symlink and the target file and verify permission are 0755 or less

reason for the error is the index.php is not a valid file

[Secret Agent]

I will try that out thank you much

Do you know anything about the mailing list and symbolic link issue also I mentioned?

[Secret Agent]

What should be in place of "group"?

chown client:group

[dave9000]

can't help ya on the mailing list, never messed with them before


however on the symlinks

watch the suexec log for uid/gid mismatch, with phpsuexec and same for suexec the file must execute as the owner of the web space either by chowning the symlink or the target file or both

also no php directives can be in .htaccess they must be moved to a php.ini

phpsuexec will not allow permission greater than 0755 and will run perfectly well with permissions of 0700

directories must follow the same permissions structure

and as a test try to run the file via command line and watch the console output this will usually give more output than the php error log will

[dave9000]

guess we posted about the same time lol

usually the group will be the same name as the client

as in chown test:test index.php

only exception to this is the /home/<client>/public_html which will be

client:nobody

all files/directories inside the public_html directory should be client:client permissions

dont get discouraged on the phpsuexec, it takes a bit of time to learn the quirks of it but once you do then its easy to make all scripts/files work under it.

and with phpsuexec mail no longer goes out as nobody@ and if you do happen to get exploited by a insecure php script then its easy to see where it came from and damage will be limited to the 1 client since all php will execute as the client username.

[Secret Agent]

* see below *

duplicate

[Secret Agent]

Thanks but unfortunately it still doesn't work

chown client:client /home/client/public_html/typo3_src/index.php
chown client:client index.php

I still get the 500 error on the www.domain.com

Code:

4.0K drwxr-xr-x  35 client nobody 4.0K Mar 20 21:30 ./
4.0K drwx--x--x  16 client client  4.0K Mar 20 21:22 ../
 20K -rw-r--r--   1 client client   19K Jul  9  2004 1.swf
 20K -rw-r--r--   1 client client   18K Jul  9  2004 2.swf
 24K -rw-r--r--   1 client client   23K Jul  9  2004 3.swf
4.0K -rw-r--r--   1 client client   614 Jul 25  2005 404.shtml
 20K -rw-r--r--   1 client client   17K Jul  9  2004 4.swf
 20K -rw-r--r--   1 client client   18K Jul  9  2004 5.swf
 16K -rw-r--r--   1 client client   14K May 11  2003 animate.js
4.0K -rw-r--r--   1 client client   426 Jul 25  2005 bad_referrer.php
4.0K drwxr-xr-x   3 client client  4.0K Jan 28 18:56 cgi-bin/
4.0K drwxr-xr-x   6 client client  4.0K Mar 20 08:03 chie/
4.0K -rwxr-xr-x   1 client client    46 Sep  3  2003 clear.gif*
4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:56 cv/
4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:56 deutsch/
4.0K drwxr-xr-x   5 client client  4.0K Jan 28 18:55 english/
 68K -rw-r--r--   1 client client   64K Jul  4  2005 error_log
4.0K drwxr-xr-x  13 client client  4.0K Jan 28 18:56 espanol/
4.0K drwxr-xr-x  17 client client  4.0K Mar 20 21:31 fileadmin/
4.0K drwxr-xr-x   3 client client  4.0K Mar 20 07:42 files/
4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:56 fotos/
4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:55 graphicsmagick-1.1.6/
1.6M -rw-r--r--   1 client client  1.6M May 31  2005 graphicsmagick-1.1.6_i386-static-2.tar.gz
4.0K -rw-r--r--   1 client client   646 Mar 17 08:32 .htaccess
4.0K -rw-r--r--   1 client client   351 Jul  9  2004 .htaccess.org
4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:56 imagemagick-4.2.9/
2.0M -rw-r--r--   1 client client  2.0M May 25  2004 imagemagick-4.2.9_i386-static-3.tar.gz
4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:55 images/
4.0K -rwxr-xr-x   1 client client  3.9K Aug 16  2004 index.html*
   0 lrwxrwxrwx   1 client client    19 Mar 20 20:32 index.php -> typo3_src/index.php*
160K -rwxr-xr-x   1 client client  154K Jan 27 12:38 japanese_interface.jpg*
4.0K drwxr-xr-x   6 client client  4.0K Mar 20 21:42 clientorg/
4.0K -rw-r--r--   1 client client   114 Jul  9  2004 loader.swf
4.0K -rw-r--r--   1 client client  1.2K Jul  9  2004 main.html
192K -rw-r--r--   1 client client  185K Jul  9  2004 main.swf
   0 lrwxrwxrwx   1 client client    11 Mar 20 21:06 media -> tslib/media/
4.0K drwxr-xr-x   3 client client  4.0K Mar 17 09:18 pfau/
4.0K -rw-r--r--   1 client client   212 Mar 17 08:32 php.ini
4.0K -rw-r--r--   1 client client  2.4K Jul  9  2004 postinfo.html
8.0K -rw-r--r--   1 client client  4.2K Jul  9  2004 preloader.swf
4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:57 _private/
4.0K -rw-r--r--   1 client client    26 Jun 20  2005 robots.txt
4.0K drwxr-xr-x   3 client client  4.0K Feb 10 06:41 stuff/
4.0K drwxr-xr-x   3 client client  4.0K Mar 20 12:45 sweets/
   0 lrwxrwxrwx   1 client client    15 Mar 20 21:05 t3lib -> typo3_src/t3lib/
4.0K drwxr-xr-x   3 client client  4.0K Jan 28 18:55 terminator/
4.0K drwxr-xr-x   3 client client  4.0K Jan 28 18:56 test/
4.0K drwxr-xr-x  14 client client  4.0K Mar 20 12:03 tfd/
   0 lrwxrwxrwx   1 client client    32 Mar 20 21:04 tslib -> typo3_src/typo3/sysext/cms/tslib/
4.0K drwxr-xr-x   2 client client  4.0K Mar 14 11:33 tuer/
   0 lrwxrwxrwx   1 client client    15 Mar 20 21:03 typo3 -> typo3_src/typo3/
4.0K drwxr-xr-x   3 client client  4.0K Mar 20 07:58 typo3conf/
   0 lrwxrwxrwx   1 client client    16 Mar 17 09:21 typo3_src -> typo3_src-4.0rc1/
4.0K drwxr-xr-x   5 client client  4.0K Jan 28 18:56 typo3_src-3.8.0/
4.0K drwxr-xr-x   5 client client  4.0K Feb 15 18:00 typo3_src-4.0beta3/
4.0K drwxr-xr-x   5 client client  4.0K Mar 17 09:20 typo3_src-4.0rc1/
7.9M -rw-r--r--   1 client client  7.9M Mar 10 09:31 typo3_src-4.0rc1.tar.gz
 20K drwxr-xr-x   8 client client   20K Mar 20 07:58 typo3temp/
 12K drwxr-xr-x  41 client client   12K Mar 20 07:58 uploads/
4.0K drwxr-xr-x   4 client client  4.0K Mar 17 09:06 uprooted/
4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:55 _vti_bin/
4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:55 _vti_cnf/
4.0K -rw-r--r--   1 client client  1.8K Jul  9  2004 _vti_inf.html
4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:56 _vti_log/
4.0K drwxr-x---   2 client client  4.0K Jan 28 18:56 _vti_pvt/
4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:55 _vti_txt/

[dave9000]

looking this over is there any reason to use 2 levels of symlinks ?

can you just symlink direct to the target ?

also if you access the target file direct does it work ?

php /home/client/public_html/typo3_src-4.0rc1/index.php

or via browser

www.domain.tld/typo3_src-4.0rc1/index.php

lets start here on making it work and once this is working then we can move on to the symlinks

[Secret Agent]

Client:

Yes, I can invoke the file via www.client.org/typo3_src/index.php however
TYPO3 will not start this way. The symlinks are like that because it's
easiest for me to update with new distributions. It did work before that
way.

[dave9000]

looking over a symlinked directory we use here that works with phpsuexec

check these permissions

/home/client 0711 client:client

/home/client/public_html 0750 client:nobody

/home/client/public_html/<all directories> 0755 client:client

/home/client/public_html/<all files> 0644 client:client

and then if still no go

cat /home/client/public_html/index.php and see if the file is actually showing up there

if it is then

start in the public_html folder and work your way through the web modifing all .htaccess files and then test after each modification

cp -f .htaccess .htaccess.old

touch .htaccess

chown client:client .htaccess

I really believe we got a permissions issue here and with phpsuexec permissions can be a bit tricky

[Secret Agent]

cat /home/client/public_html/index.php
shows the index.php coding


The permissions look right (as I pasted previously)

"start in the public_html folder and work your way through the web modifing all .htaccess files and then test after each modification"

What in the htaccess files am I supposed to modify? Please explain

These are the symlinks

Code:

   0 lrwxrwxrwx   1 client client       19 Mar 20 20:32 index.php -> typo3_src/index.php
   0 lrwxrwxrwx   1 client client       32 Mar 20 21:04 tslib -> typo3_src/typo3/sysext/cms/tslib/
   0 lrwxrwxrwx   1 client client       16 Mar 17 09:21 typo3_src -> typo3_src-4.0rc1/

[dave9000]

copy the .htaccess to a different name like .htaccess

then rm -f .htaccess then touch .htaccess

chown client:client .htaccess

this will remove all info from the .htaccess and eliminate it as a possible problem

i semt you a PM this morning also