The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpsuexec issues

Discussion in 'General Discussion' started by Secret Agent, Mar 20, 2006.

  1. Secret Agent

    Secret Agent Guest

    I enabled phpsuexec support on my server and ran the following:

    scripts/chownpublichtmls
    find /home -perm 777 -type d
    find /home -perm 777 -type f
    find /home -perm 777 -exec chmod 755 {} \;

    Clients are no longer able to access the mailing list archives.

    #1

    This URL is encountering the error code 500 that your note warned about, however the script is not contained in my home directory. I assume that you have aliased this to point to a server-wide installation.

    #2

    Existing symbolic links are no longer working. Is there a work around for this?

    The index.html file is simply a symbolic link to passwordmaker.html, which is simply an HTML page with permissions of 644. I am not sure why this is now giving me an HTTP error code of 500

    drwxr-xr-x 2 dmorlitz dmorlitz 4.0K Feb 14 19:34 password/

    #3

    Client gets an error 500 on his www.domain.com

    All I can see in the error log is

    [Mon Mar 20 09:13:47 2006] [error] [client 68.142.xxx.xxx] Premature end of
    script headers: /home/client/public_html/client/index.php

    index.php is a symlink 2 levels deep.

    Code:
    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    
    Please contact the server administrator, webmaster@client.com.es and inform them of the time the error occurred, and anything you might have done that may have caused the error.
    
    More information about this error may be available in the server error log.
    
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. 
    
    I tailed /usr/local/apache/logs/suexec_log

    [2006-03-20 12:20:24]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: index.php
    [2006-03-20 12:20:24]: error: cannot stat program: (index.php)

    [2006-03-20 12:20:29]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: viewtopic.php

    [2006-03-20 12:20:57]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: viewforum.php
    [2006-03-20 12:20:57]: info: (target/actual) uid: (client/client) gid: (client/client) cmd: demo.php


    htacess

    <Limit GET HEAD POST>
    order allow,deny
    deny from cogentco.com
    deny from anonymizer.com
    deny from wideopenwest.com
    deny from proxad.net
    deny from sexnet24.tv
    deny from frb.org
    deny from 38.113.234.
    allow from all
    </LIMIT>

    # BLOCK blank referrer -AND- UA except for HEAD
    RewriteCond %{REQUEST_METHOD} !^HEAD$
    RewriteCond %{HTTP_REFERER} ^$
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* bad_referrer.php [L]

    # BLOCK *Faked* blank referer -OR- UA
    RewriteCond %{HTTP_REFERER} ^-$ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^-$
    RewriteRule .* bad_referrer.php [L]
    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>


    htaccess.org

    # -FrontPage-

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName www.client.com
    AuthUserFile /home/client/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/client/public_html/_vti_pvt/service.grp
     
  2. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    sounds like it can not find index.php

    what happens when you run this from shell

    php /home/client/public_html/client/index.php

    also any file that is called by phpsuexec must be chown client:client <filename>
     
    #2 dave9000, Mar 20, 2006
    Last edited: Mar 20, 2006
  3. Secret Agent

    Secret Agent Guest

    root@server2 [/home/client/public_html]# php /home/client/public_html/client/index.php
    Could not open input file: /home/client/public_html/client/index.php
     
  4. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    I would suggest blowing away the symlink and recreating it and then chown client:group both the symlink and the target file and verify permission are 0755 or less

    reason for the error is the index.php is not a valid file
     
  5. Secret Agent

    Secret Agent Guest

    I will try that out thank you much

    Do you know anything about the mailing list and symbolic link issue also I mentioned?
     
  6. Secret Agent

    Secret Agent Guest

    What should be in place of "group"?

    chown client:group
     
  7. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    can't help ya on the mailing list, never messed with them before


    however on the symlinks

    watch the suexec log for uid/gid mismatch, with phpsuexec and same for suexec the file must execute as the owner of the web space either by chowning the symlink or the target file or both

    also no php directives can be in .htaccess they must be moved to a php.ini

    phpsuexec will not allow permission greater than 0755 and will run perfectly well with permissions of 0700

    directories must follow the same permissions structure

    and as a test try to run the file via command line and watch the console output this will usually give more output than the php error log will
     
  8. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    guess we posted about the same time lol

    usually the group will be the same name as the client

    as in chown test:test index.php

    only exception to this is the /home/<client>/public_html which will be

    client:nobody

    all files/directories inside the public_html directory should be client:client permissions

    dont get discouraged on the phpsuexec, it takes a bit of time to learn the quirks of it but once you do then its easy to make all scripts/files work under it.

    and with phpsuexec mail no longer goes out as nobody@ and if you do happen to get exploited by a insecure php script then its easy to see where it came from and damage will be limited to the 1 client since all php will execute as the client username.
     
    #8 dave9000, Mar 20, 2006
    Last edited: Mar 20, 2006
  9. Secret Agent

    Secret Agent Guest

    * see below *

    duplicate
     
  10. Secret Agent

    Secret Agent Guest

    Thanks but unfortunately it still doesn't work

    chown client:client /home/client/public_html/typo3_src/index.php
    chown client:client index.php

    I still get the 500 error on the www.domain.com

    Code:
    4.0K drwxr-xr-x  35 client nobody 4.0K Mar 20 21:30 ./
    4.0K drwx--x--x  16 client client  4.0K Mar 20 21:22 ../
     20K -rw-r--r--   1 client client   19K Jul  9  2004 1.swf
     20K -rw-r--r--   1 client client   18K Jul  9  2004 2.swf
     24K -rw-r--r--   1 client client   23K Jul  9  2004 3.swf
    4.0K -rw-r--r--   1 client client   614 Jul 25  2005 404.shtml
     20K -rw-r--r--   1 client client   17K Jul  9  2004 4.swf
     20K -rw-r--r--   1 client client   18K Jul  9  2004 5.swf
     16K -rw-r--r--   1 client client   14K May 11  2003 animate.js
    4.0K -rw-r--r--   1 client client   426 Jul 25  2005 bad_referrer.php
    4.0K drwxr-xr-x   3 client client  4.0K Jan 28 18:56 cgi-bin/
    4.0K drwxr-xr-x   6 client client  4.0K Mar 20 08:03 chie/
    4.0K -rwxr-xr-x   1 client client    46 Sep  3  2003 clear.gif*
    4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:56 cv/
    4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:56 deutsch/
    4.0K drwxr-xr-x   5 client client  4.0K Jan 28 18:55 english/
     68K -rw-r--r--   1 client client   64K Jul  4  2005 error_log
    4.0K drwxr-xr-x  13 client client  4.0K Jan 28 18:56 espanol/
    4.0K drwxr-xr-x  17 client client  4.0K Mar 20 21:31 fileadmin/
    4.0K drwxr-xr-x   3 client client  4.0K Mar 20 07:42 files/
    4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:56 fotos/
    4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:55 graphicsmagick-1.1.6/
    1.6M -rw-r--r--   1 client client  1.6M May 31  2005 graphicsmagick-1.1.6_i386-static-2.tar.gz
    4.0K -rw-r--r--   1 client client   646 Mar 17 08:32 .htaccess
    4.0K -rw-r--r--   1 client client   351 Jul  9  2004 .htaccess.org
    4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:56 imagemagick-4.2.9/
    2.0M -rw-r--r--   1 client client  2.0M May 25  2004 imagemagick-4.2.9_i386-static-3.tar.gz
    4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:55 images/
    4.0K -rwxr-xr-x   1 client client  3.9K Aug 16  2004 index.html*
       0 lrwxrwxrwx   1 client client    19 Mar 20 20:32 index.php -> typo3_src/index.php*
    160K -rwxr-xr-x   1 client client  154K Jan 27 12:38 japanese_interface.jpg*
    4.0K drwxr-xr-x   6 client client  4.0K Mar 20 21:42 clientorg/
    4.0K -rw-r--r--   1 client client   114 Jul  9  2004 loader.swf
    4.0K -rw-r--r--   1 client client  1.2K Jul  9  2004 main.html
    192K -rw-r--r--   1 client client  185K Jul  9  2004 main.swf
       0 lrwxrwxrwx   1 client client    11 Mar 20 21:06 media -> tslib/media/
    4.0K drwxr-xr-x   3 client client  4.0K Mar 17 09:18 pfau/
    4.0K -rw-r--r--   1 client client   212 Mar 17 08:32 php.ini
    4.0K -rw-r--r--   1 client client  2.4K Jul  9  2004 postinfo.html
    8.0K -rw-r--r--   1 client client  4.2K Jul  9  2004 preloader.swf
    4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:57 _private/
    4.0K -rw-r--r--   1 client client    26 Jun 20  2005 robots.txt
    4.0K drwxr-xr-x   3 client client  4.0K Feb 10 06:41 stuff/
    4.0K drwxr-xr-x   3 client client  4.0K Mar 20 12:45 sweets/
       0 lrwxrwxrwx   1 client client    15 Mar 20 21:05 t3lib -> typo3_src/t3lib/
    4.0K drwxr-xr-x   3 client client  4.0K Jan 28 18:55 terminator/
    4.0K drwxr-xr-x   3 client client  4.0K Jan 28 18:56 test/
    4.0K drwxr-xr-x  14 client client  4.0K Mar 20 12:03 tfd/
       0 lrwxrwxrwx   1 client client    32 Mar 20 21:04 tslib -> typo3_src/typo3/sysext/cms/tslib/
    4.0K drwxr-xr-x   2 client client  4.0K Mar 14 11:33 tuer/
       0 lrwxrwxrwx   1 client client    15 Mar 20 21:03 typo3 -> typo3_src/typo3/
    4.0K drwxr-xr-x   3 client client  4.0K Mar 20 07:58 typo3conf/
       0 lrwxrwxrwx   1 client client    16 Mar 17 09:21 typo3_src -> typo3_src-4.0rc1/
    4.0K drwxr-xr-x   5 client client  4.0K Jan 28 18:56 typo3_src-3.8.0/
    4.0K drwxr-xr-x   5 client client  4.0K Feb 15 18:00 typo3_src-4.0beta3/
    4.0K drwxr-xr-x   5 client client  4.0K Mar 17 09:20 typo3_src-4.0rc1/
    7.9M -rw-r--r--   1 client client  7.9M Mar 10 09:31 typo3_src-4.0rc1.tar.gz
     20K drwxr-xr-x   8 client client   20K Mar 20 07:58 typo3temp/
     12K drwxr-xr-x  41 client client   12K Mar 20 07:58 uploads/
    4.0K drwxr-xr-x   4 client client  4.0K Mar 17 09:06 uprooted/
    4.0K drwxr-xr-x   4 client client  4.0K Jan 28 18:55 _vti_bin/
    4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:55 _vti_cnf/
    4.0K -rw-r--r--   1 client client  1.8K Jul  9  2004 _vti_inf.html
    4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:56 _vti_log/
    4.0K drwxr-x---   2 client client  4.0K Jan 28 18:56 _vti_pvt/
    4.0K drwxr-xr-x   2 client client  4.0K Jan 28 18:55 _vti_txt/
    
    
     
  11. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    looking this over is there any reason to use 2 levels of symlinks ?

    can you just symlink direct to the target ?

    also if you access the target file direct does it work ?

    php /home/client/public_html/typo3_src-4.0rc1/index.php

    or via browser

    www.domain.tld/typo3_src-4.0rc1/index.php

    lets start here on making it work and once this is working then we can move on to the symlinks
     
  12. Secret Agent

    Secret Agent Guest

    Client:

    Yes, I can invoke the file via www.client.org/typo3_src/index.php however
    TYPO3 will not start this way. The symlinks are like that because it's
    easiest for me to update with new distributions. It did work before that
    way.
     
  13. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    looking over a symlinked directory we use here that works with phpsuexec

    check these permissions

    /home/client 0711 client:client

    /home/client/public_html 0750 client:nobody

    /home/client/public_html/<all directories> 0755 client:client

    /home/client/public_html/<all files> 0644 client:client

    and then if still no go

    cat /home/client/public_html/index.php and see if the file is actually showing up there

    if it is then

    start in the public_html folder and work your way through the web modifing all .htaccess files and then test after each modification

    cp -f .htaccess .htaccess.old

    touch .htaccess

    chown client:client .htaccess

    I really believe we got a permissions issue here and with phpsuexec permissions can be a bit tricky
     
  14. Secret Agent

    Secret Agent Guest

    cat /home/client/public_html/index.php
    shows the index.php coding


    The permissions look right (as I pasted previously)

    "start in the public_html folder and work your way through the web modifing all .htaccess files and then test after each modification"

    What in the htaccess files am I supposed to modify? Please explain

    These are the symlinks

    Code:
       0 lrwxrwxrwx   1 client client       19 Mar 20 20:32 index.php -> typo3_src/index.php
       0 lrwxrwxrwx   1 client client       32 Mar 20 21:04 tslib -> typo3_src/typo3/sysext/cms/tslib/
       0 lrwxrwxrwx   1 client client       16 Mar 17 09:21 typo3_src -> typo3_src-4.0rc1/
    
     
  15. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    copy the .htaccess to a different name like .htaccess

    then rm -f .htaccess then touch .htaccess

    chown client:client .htaccess

    this will remove all info from the .htaccess and eliminate it as a possible problem

    i semt you a PM this morning also
     
  16. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
  17. Secret Agent

    Secret Agent Guest

    Still doesn't work :(

    This is unbelievable

    Thanks for the pm
     
  18. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    i have been thinking on this all day

    i am beginning to doubt getting it to work using 2 levels of symlinks

    they say hard links will work but have not tried hard links myself

    you might rearrange the structure to drop back to 1 level of links
     
  19. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    We are looking for this as well

    Just to chime in here...

    We have not been successful.

    We are part of the group behind the Typo3 movement -
    www.webempoweredchurch.com

    any ideas - or if you figure this out -= please let us know.

    if we find it - I will PM you as well as post in the board.
     
Loading...

Share This Page