Is there something like CGI Set *GID* Mode?

[philwo]

Hello,

I have PHP running as the user who owns the docroot, but is it possible to set the GID too? A static GID (nogroup) would be okay. I ask, because I thought of the following security concept:

LiteSpeed runs as user www-data, group www-data
all docroots (and files / dirs in there) are owned by user XYZ, group www-data and have mode 0750.

So, the webserver is able to read the files he should serve, while the user and his scripts are able to read and write in the docroot. Now I have a problem - when PHP runs as user XYZ, group www-data, a malicious PHP-script could still read (but not write) other users docroots (because I can't use chroot). Running PHP-scripts as group nogroup would fix this problem.

Regards,
Philipp

 

[mistwang]

It is not available for current LSWS, we may added it later.
However, you can let each user has its own group, and add "www-data" user to all those groups. Or you can use ACLs if it is available.

 

[philwo]

Thank you very much, this solution works perfectly!

I have two issues left however:

1) When I setup the permissions as you said (owner of the docroot is user XY with his own group, www-data beeing a member of this users group and only allowing access for the user and his group to his docroot), AWstats gives me an error:

Error: Couldn't open config file "awstats.www.fire-and-clay.de.conf" nor "awstats.conf" after searching in path "/data/www/www.fire-and-clay.de/htdocs/awstats/conf": Permission denied

- Did you use the correct URL ?
Example: http://localhost/awstats/awstats.pl?config=mysite
Example: http://127.0.0.1/cgi-bin/awstats.pl?config=mysite
- Did you create your config file 'awstats.www.fire-and-clay.de.conf' ?
If not, you can run "/opt/lsws/add-ons/awstats/tools/awstats_configure.pl" from command line, or create it manually.

Check config file, permissions and AWStats documentation (in 'docs' directory).

ls -l /data/www/www.fire-and-clay.de/htdocs/awstats/conf gives:

-rw-rw---- 1 benedikt benedikt 59501 2006-08-16 20:44 awstats.model.conf
-rw-rw---- 1 www-data www-data 59598 2006-08-17 12:05 awstats.www.fire-and-clay.de.conf

The awstats directory has permissions:

drwxrwx--- 5 www-data www-data 39 2006-08-17 12:05 awstats

When I do a chown -R benedikt.benedikt <DOCROOT>, it works fine. But these permissions always get reset to www-data.www-data on every update!

My AWstats setup:

Update Mode Dynamic
Working Directory $VH_ROOT/htdocs/awstats/
AWStats URI /awstats/
Site Domain $VH_DOMAIN
Site Aliases N/A
Update Interval Hourly
Update Offset (secs) N/A
Secured Connection No
Authentication Realm N/A

If I set Update Mode to Static, it works too without any chown'ing necessary, but then there are some features missing in comparison to dynamic mode.

2) How can I automatically set open_basedir for every Virtual Host in a template? Something like: Set it to "$VH_ROOT:/srv/php/lib/php".

Thank you so much! As soon as I get enough customers to afford it, I'll buy the enterprise edition instantly

 

[mistwang]

The awstats part have to be fixed to make it set proper permission when suEXEC is used.
Setting open_basedir in a template needs code changes on our side, however, if php is started in suEXEC mode, it may not be necessary, but it is always a good thing to have.
Those will be in 2.2 release.

 

[xing]

philtwo, LiteSpeed Web Server 2.2 has been released with the Awstats suEXEC fix and more.

 

[philwo]

Thank you xing, it works perfectly now!

 

[philwo]

Setting open_basedir in a template needs code changes on our side

Hello,

is it possible with the current 2.2.6 Std version to set the open_basedir restriction for virtual hosts (either automatically using a template or specifically for each virtual host)? I have PHP using LSAPI and start it with suEXEC as the user who owns the virtual host.

I believe in Apache I could use something like "php_admin_value open_basedir XYZ" in each <VirtualHost> section - what is the corresponding method for Litespeed 2.2.6?

Thank you for your help,
Philipp

 

[mistwang]

You can do the same to virtual host by adding the same configuration line to the "Apache Style Config" entry at the bottom of "General" tab.
You need to instantiate a template member to create the vhost configuration file.

 

[philwo]

Just to make sure I understood correctly: To set the open_basedir directive I have to instantiate all virtual hosts and set it individually for each of them - there is no way to specify something like "php_admin_value open_basedir $VH_ROOT" in my template, right?

Thanks,
Philipp

 

[mistwang]

My previous reply was wrong, using $VH_ROOT, $DOC_ROOT in Apache configuration like what you described should work well, even in template. You can verify it with a phpinfo page.

I forgot when the change was made, probably right after this issue was mentioned.

 

[philwo]

It works perfectly in the template! With just one change I have secured all these domains.. thank you so much - Litespeed is really the best webserver I ever used.

Philipp

 

[mistwang]

Absolutely!
Please help us spread the words.