Exclude sites from phpSuExec

[westhost-neil]

I'm developing some PHP software that will use a master account to hold a master set of scripts. I will then create indivdual slave accounts that will need access to these scripts.

I've disabled open_basedir for these users and setup a symlink to the folder on the master account, trouble is, when accessing the folder I get a 500 Internal Server Error.

I'm almost certain that this is a phpSuExec problem as the slaves can view HTML documents in the master account but fail when trying to run any php script.

In the suexec log I see error: target uid/gid (32079/32081) mismatch with directory (32076/32078) or program (0/0) or trusted user (0/10) which says it all.

So to get this working I hope all I need is to exclude the slave accounts from suexec rules.

Any advice would be greatly apprecited.

Neil Westlake

 

[rsaylor]

Hi, the only way to do this is to have 2 copies of apache running on different ports and have two builds of php. What makes it suexec is how php is compiled as a cgi vs a module.

 

[brianoz]

You already have the effect of a master account in that scripts can be included from /usr/local/lib/php without a path. This inclusion trick should be enough to get you going. That is, a line like this would pull in antispam.php from /usr/local/lib/php if it existed there:

include 'antispam.php';

You'll want to check phpinfo() output to make sure that /usr/local/lib/php is included in the preset include path; it is in there by default.

If that isn't enough, research a little more; I'm pretty confident there's a way to do it.

 

[westhost-neil]

Thanks for the replys.

The include php lib idea is a good which I already use for another project but is not going to be viable for this problem. I don't want to include files I need to have a single batch of scripts that are run by multiple users from a single location.

Basically each user has there own database and configuration files but all of the required scripts are run from the master location. Currently symlinking on my development server works perfect but is a problem on the live server because of phpSuExec.

It's looking like I'll have to get a dedicated server to run this app.

 

[brianoz]

There will be a way to work around this, you may need some support from the host though so if you can't get it, a VPS or dedicated server might be the way to go.

 

[westhost-neil]

Thanks for the reply,

You misunderstood me, we are the host When I referred to getting a dedicated server I meant for this application.

I've been searching the net and I still can't find anything to point me in the right direction. This is a live server so I can't just go making big changes.

Thanks anyway.

 

[sparek-3]

You could set the accounts up as addon domains. Have one parent account, and then several addon domains that act as children to the parent account.

This may not be what you are wanting, but its just a thought. With addon domains, each domain woudl be owned by the parent account. I guess the downside to this is that all of the children would also have access to the other children accounts as well.

Just a thought.

 

[brianoz]

I'm almost certain I've seen a way to modify suexec's behaviour. By the way, I'm fairly sure this is an suexec problem rather than a phpsuexec problem, if you check in the audit log you get the details you are quoting.

 

[brianoz]

For instance, the tutorial here implies that ScriptAlias can be used to share URLs between accounts (read the next section too):
http://linuxplanet.com/linuxplanet/tutorials/1445/5/

 

[rs-freddo]

turn safe mode off, for each account you wish to access master files.