Help?!? LSWS no longer recognizing any of my folders as present?

[jdash]

I have several different domains served up on my server by lsws went to the control panel to add another added to the PHP Virtual Host Template went to Instantiate and it kept telling me the folder was not valid for the host root. After trying several times deleting, re-adding, etc. I went and clicked over to one of my existing domains and this is the error I am getting on every single one of them:

/home/username/sites/domain.com/config/domain.com.xml is not a valid file.

I checked the server settings still configured to use the www-data user group which the entire "sites" folder is configured under, I haven't changed anything with these folders, but all of a sudden they are "invisible" to LSWS.

Help greatly appreciated!

 

[auser]

are you using latest 4.0.10?

 

[xendex]

Yes, I have the same problem with 4.0.10. I think that this happens due to AdminWebConsole suexec mode - so AWC cannot access vhost configuration files that are outside SERVER_ROOT, though server process can read them fine.
Here is what admin console error.log is showing:

2009-08-26 14:22:02.634 [NOTICE] [MY_IP_ADDRESS:3730-3#_AdminVHost] [STDERR] PHP Warning:  is_file() [<a href='function.is-file'>function.is-file</a>]: Stat failed for /[path to con-file outside server root]/conf.xml (errno=13 - Permission denied) in /usr/local/lsws/admin/html.4.0.10/classes/XmlTreeBuilder.php on line 13
2009-08-26 14:22:02.647 [NOTICE] [MY_IP_ADDRESS:3730-3#_AdminVHost] [STDERR] /[path to con-file outside server root]/conf.xml is not a valid file.

Sounds like a bug...

 

[jdash]

Yes, I am using 4.0.10, in fact I redownloaded it from here and ran a manual upgrade just to make sure (all before I posted here)

 

[jdash]

I pulled up my error log getting the same thing:

2009-08-26 00:17:41.862 [NOTICE] [ipaddress-3#_AdminVHost] [STDERR] PHP Warning:  is_file() [<a href='function.is-file'>function.is-file</a>]: Stat failed for /**path to config**/config/domain.com.xml (errno=13 - Permission denied) in /usr/local/lsws/admin/html.4.0.10/classes/XmlTreeBuilder.php on line 13
2009-08-26 00:17:41.862 [NOTICE] [ipaddress-3#_AdminVHost] [STDERR] /**path to config**/config/domain.com.xml is not a valid file.

 

[mistwang]

You need to update the file ownership and permission as the admin console is running in suEXEC mode with 4.0.10.

make the configuration file owned by "lsadm" and make sure lsadm user/group can access the directory holding the configuration file.

 

[xendex]

Thanks, mistwang, that solves the problem.
Just note, that it's needed to change owner(to lsadm) not only for the conf-file, but also for the destination folder that cantains this file.

 

[jdash]

Any security reason not to just add the lsadm user to the www-data group? That fixes the issue as well.

 

[mistwang]

Yes, you can do that.
You still need to change the owner of configuration files to lsadm, otherwise, it cannot be changed via web console.

The purpose of this is to prevent the user/group that lshttpd run as to access any configuration file, only the web console can.

 

[raphidae]

How do I disable this or downgrade? My file permissions are just fine as-is.

Also, I would like to ask you to properly document such changes in the version history, because for me 'changing the admin to suExec' does not mean add a new user and require changing the file permissions on a zillion vhosts.

Thanks.

 

[mistwang]

It is not recommended and the risk is on your own, but if you really want, you can change files/directories owned by lsadm back to the old user account. restart LSWS.
Or, you can run the installer of the older release, do a manual upgrade, you can back to the older release. you will stuck with the old release.

 

[raphidae]

Well, I rather not downgrade of course, but I have other things (scripts etc.) that may read or write the config files and changing the owner of these files will require a total overhaul of the file permissions.

I'm sure splitting the ownership is a good idea security-wise, but I would expect such a change to be noted in really big red letters in the changelog, followed by an explaination of what exactly is changed so that preparations can be made.

Have you considered to make the change an option for a couple of releases so that people have time to ajust their environments to this change? You should at least incorporate some kind of check in the installer and alert users that the permissions need to be changed, now it upgrades correctly continues to serve correctly but completely breaks the web console without any direct link to the upgrade.

Most of the users will probably use some control panel or an apache config file, but I was glad with the XML format and have integrated the configuration of vhosts into our intranet. This simple change means that we need to re-think the entire setup and requires a testserver and extensive testing, etc.

In my opinion changes that need a change in the environment require at least a minor version bump, not just a revision increment.

Also, I am really unconfortable with software updates that silently add users to my system. Especially because it choose an inappropriate UID, which I would need to correct by hand.

 

[MikeDVB]

Also, I would like to ask you to properly document such changes in the version history, because for me 'changing the admin to suExec' does not mean add a new user and require changing the file permissions on a zillion vhosts.

I upgraded to 4.0.10 on 3 servers and did not have any issues at all with any permissions. How did you perform the upgrade?

I'm sure splitting the ownership is a good idea security-wise, but I would expect such a change to be noted in really big red letters in the changelog, followed by an explaination of what exactly is changed so that preparations can be made.

I do agree that it could have been explained a tad better for those doing custom things

Have you considered to make the change an option for a couple of releases so that people have time to ajust their environments to this change? You should at least incorporate some kind of check in the installer and alert users that the permissions need to be changed, now it upgrades correctly continues to serve correctly but completely breaks the web console without any direct link to the upgrade.

Again, I had no problems at all during the upgrades - how did you perform the upgrade?

 

[raphidae]

I performed the upgrade by downloading the package and running ./install.sh

And I'm curious as to what your permissions on the config files are then, because if they are world writable then there would be no issues indeed.

 

[MikeDVB]

Hmm, nope

root@atlantis [/usr/local/lsws/conf]# ls -l
total 88
drwx------  4 lsadm lsadm  4096 Sep  4 16:08 ./
drwxr-xr-x 15 root  root   4096 Jul 18 17:24 ../
drwx------  2 lsadm lsadm  4096 Jul 18 17:24 cert/
-rw-r--r--  1 lsadm lsadm 11603 Sep  4 16:08 httpd_config.xml
-rw-------  1 root  root   2418 Sep  4 15:26 httpd_config.xml.rej
-rw-r-----  1 lsadm lsadm     0 Sep  3 19:03 .last
-rw-------  1 root  root    256 Sep  4 15:26 license.key
-rw-r-----  1 lsadm lsadm  1810 Sep  3 14:25 license_proxy.xml
-rw-------  1 lsadm lsadm  3849 Jul 18 17:24 mime.properties
-rw-r-----  1 lsadm lsadm     0 Aug 18 18:13 .restart
-rw-r--r--  1 root  root     19 Sep  4 15:26 serial.no
drwx------  2 lsadm lsadm  4096 Jul 18 17:24 templates/
-rw-r-----  1 lsadm lsadm  1806 Sep  2 19:22 update_proxy.xml

Exactly as it was configured by the installation.

 

[raphidae]

How about the per-vhost config files, because those are the problem.

 

[MikeDVB]

How about the per-vhost config files, because those are the problem.

Ah, ok so that makes a bit more since We're running cPanel on the said servers and are not using the LSWS vhost configuration files so I'm not sure about that.

 

[PSS]

I agree 100% with what raphidae said. Litespeed is a beautiful piece of engineering and well worth the investment, but PLEASE do not ruin it by taking things for granted. We need more documentation, how-to's and clear and detailed changelogs. On a clean install, created new virtual host and:

*failed to create file /ownpath/towww/youdomain/conf/vhconf.xml

I created the file by hand, set chmod/chown/chgrp and all I can think of, and same error. This thread here explains the reason.