Support

_qwerty_ · #1 02-09-2009, 01:01 AM

The way I understood it, the main reason moving from Apache to Lightspeed is to have secure shared environment without compromising performance. However, it appears that it cannot be done with Lightspeed, unless I'm doing something wrong. Please let me know whether I’m indeed missing something important. Here is what I've got:

What I’m trying to achieve is to prevent user01 running on domain01.com something simple as test-access-permissions.php :
<?
header('Content-Type: text/plain');
print file_get_contents ('/var/www/site02/db.inc.php');
?>
to view source code of db.inc.php belonging to user02 who is hosting his files on domain2.com

Here is my setup:

Two virtual hosts domain1.com domain2.com with docroots residing on
/var/www/site01 (user01:nobody 750)

/var/www/site02 (user02:nobody 750)

For domain1 and domain 2, respectively

test-access-permissions.php user01:nobody 640
dn.inc.php user02:nobody 640

Litespeed running as nobody:nobody

I created two virtual hosts using web console and changed ‘force gid’ to 90000 which corresponds to
nogroup:x:90000: in /etc/group file
Security settings for both domains are set to
Symbolic Link = Yes
Enable Scripts/ExtApps = Yes
Restrained = Yes
ExtApp Set UID Mode = DocRoot UID
ExtApp Chroot Mode = Virtual Host Root
ExtApp Chroot Path = Not Set

What I expect to see is this: when user01 trying to view files of user02 he should get some kind of ‘permission denied’ error. /var/www/site02 should be readable only to web server and user02 but not accessible by user02 because 'force gid' rule is in place.
But in fact all I need for my setup is for user01 to view files of user02 is to run the above mentioned script.
Please advise.

PS
My ‘Load Apache Configuration’ is set to NO. So I’m not using any Lightspeed capabilities which would help me to utilize existing Apache’s configuration files.

mistwang · #2 02-09-2009, 10:27 AM

You can have PHP script to print "UID/GID" that PHP process run as.
For PHP suEXEC to work properly, you have to setup vhost level lsphp external app and script handler.

_qwerty_ · #3 02-10-2009, 04:33 AM

>You can have PHP script to print "UID/GID" that PHP process run as.

Ok, I modified my scripts to add output of UID/GID as follows:

$uid = posix_getuid();
echo var_export(posix_getpwuid($uid),true);

but it looks like I'm just getting the GID value from /etc/passwd. What whould be the correct way of geting actual GID overrided by “force GID” option?

>For PHP suEXEC to work properly, you have to setup vhost level lsphp external app and script >handler.

That was helpful. Forgot to mention in the original post that I created my vhosts using PHP_SuEXEC – one of thee pre-installed virtual host templates. But I modified script handler to server-wide value in template – that was the problem.

_qwerty_ · #4 02-10-2009, 06:42 AM

I actually found a better solution
$gid = getmygid();
echo "gid=".$gid;

but still it does not show 'forced' gid value

mistwang · #5 02-10-2009, 04:00 PM

found a bug in lscgid, please PM me your email and the OS/LSWS release you were using, I will send you updated lscgid binary.

_qwerty_ · #6 02-11-2009, 10:29 AM

Personally, I like the old version better

With the original 3.3.24 version I managed to prevent users from accessing files outside their domains and to even lock some users inside their directories, using php_admin_value and open_basedir, as per your suggestion in other post. However, with the new binary and old setup I'm getting some strange results.

Running this script
<?
$uid = posix_getuid();
echo var_export(posix_getpwuid($uid),true);
?>

always returns 'nobody' 'nobody', irrespective who the owner of a file is and all my scripts can be read by anyone as a result.

Please let me know if that was your intention -- in this case I must confess I'm completely at a loss here -- or maybe somehow I was sent a wrong version of binary.

Further, I'm still not sure what exactly we are trying to fix. The only problem/question that I reported in this post was that I wasn't able to make php script to output the correct value matching 'force gid' value. Perhaps I was using the wrong method to get this value -- I'm still under impression that posix_getpwuid() returns gid of a php file and not the actual 'effective' gid of a process which executes php script.

mistwang · #7 02-11-2009, 10:49 AM

I think you missed the set uid bit on lscgid.3.3.24 when you replace the binary. so suEXEC does not work any more.

_qwerty_ · #8 02-11-2009, 11:05 AM

Yes, you are right. I just forgot to change the owner of a file to root. Let me try again.

_qwerty_ · #9 02-11-2009, 11:37 AM

Ok now it is root:root 104555 and I'm getting
"503 Service Unavailable
The server is temporarily busy, try again later!"

Here is the log output:

2009-02-11 11:22:11.395 [NOTICE] Loading LiteSpeed/3.3.24 Standard ...
2009-02-11 11:22:11.499 [NOTICE] [ADMIN] server socket: uds://usr/local/lsws/admin/tmp/admin.sock.7077
2009-02-11 11:22:11.499 [NOTICE] Loading configuration from /usr/local/lsws/conf/httpd_config.xml ...
2009-02-11 11:22:11.502 [INFO] old priority: 0, new priority: 0
2009-02-11 11:22:11.502 [INFO] [config:server:basic] For better obscurity, server version number is hidden in the response header.
2009-02-11 11:22:11.507 [NOTICE] The maximum number of file descriptor limit is set to 1024.
2009-02-11 11:22:11.521 [WARN] 2009-02-11 11:22:11.524 [ERROR] [config:template:centralConfigLog] Listener [Default] does not exist
2009-02-11 11:22:11.525 [ERROR] [config:template:PHP_SuEXEC] Listener [Default] does not exist
2009-02-11 11:22:11.525 [ERROR] [config:template:EasyRailsWithSuEXEC] Listener [Default] does not exist
2009-02-11 11:22:11.528 [NOTICE] [child: 4256] Successfully change current user to nobody
2009-02-11 11:22:11.528 [NOTICE] [Child: 4256] Core dump is enabled.
2009-02-11 11:22:11.528 [NOTICE] [Child: 4256] Setup swapping space...
2009-02-11 11:22:11.529 [NOTICE] [Child: 4256] LiteSpeed/3.3.24 Standard starts successfully!
2009-02-11 11:22:11.529 [NOTICE] [AutoRestarter] new child process with pid=4256 is forked!
2009-02-11 11:22:12.087 [INFO] [HTAccess] Updating configuration from [/var/www/site01/.htaccess]
2009-02-11 11:22:12.088 [INFO] [lsphp5] add child process pid: 4257
2009-02-11 11:22:12.088 [INFO] [lsphp5] pid list size: 1
2009-02-11 11:22:12.102 [NOTICE] [AutoUpdate] Checking for new releases...
2009-02-11 11:22:12.141 [INFO] [AutoUpdate] No new update.
2009-02-11 11:22:22.361 [INFO] [AdminPHP] pid list size: 1
2009-02-11 11:22:22.361 [INFO] [AdminPHP] add child process pid: 4281
2009-02-11 11:22:22.362 [INFO] Remove pid: 4281
2009-02-11 11:22:22.362 [INFO] Pid: 4281 associated with [AdminPHP]
2009-02-11 11:22:22.363 [INFO] [AdminPHP] pid list size: 2
2009-02-11 11:22:22.363 [INFO] [75.4.14.59:51297-0#_AdminVHost] add child process pid: 4282
2009-02-11 11:22:22.363 [INFO] [AdminPHP] pid list size: 1, pid stop list size: 0
2009-02-11 11:22:22.364 [INFO] Remove pid: 4282
2009-02-11 11:22:22.364 [INFO] Pid: 4282 associated with [AdminPHP]
2009-02-11 11:22:22.365 [INFO] [AdminPHP] pid list size: 2
2009-02-11 11:22:22.365 [INFO] [75.4.14.59:51297-0#_AdminVHost] add child process pid: 4283
2009-02-11 11:22:22.365 [INFO] [AdminPHP] pid list size: 1, pid stop list size: 0
2009-02-11 11:22:22.366 [INFO] Remove pid: 4283
2009-02-11 11:22:22.366 [INFO] Pid: 4283 associated with [AdminPHP]
2009-02-11 11:22:22.367 [INFO] [AdminPHP] pid list size: 2
2009-02-11 11:22:22.367 [INFO] [75.4.14.59:51297-0#_AdminVHost] add child process pid: 4284
2009-02-11 11:22:22.367 [INFO] [AdminPHP] pid list size: 1, pid stop list size: 0
2009-02-11 11:22:22.368 [INFO] Remove pid: 4284
2009-02-11 11:22:22.368 [INFO] Pid: 4284 associated with [AdminPHP]
2009-02-11 11:22:22.368 [INFO] [AdminPHP] pid list size: 0, pid stop list size: 0
2009-02-11 11:22:22.368 [NOTICE] [AdminPHP] stop worker processes
2009-02-11 11:22:22.368 [INFO] [AdminPHP] 1 request being processed, kill external app later.
2009-02-11 11:22:32.025 [INFO] [75.4.14.59:51297-0#_AdminVHost] ExtConn timed out while processing.
2009-02-11 11:22:32.025 [INFO] [75.4.14.59:51297-0#_AdminVHost] connection to [UDS://tmp/lshttpd/admin_php.sock] on request #0, Connection timed out!
2009-02-11 11:22:32.025 [NOTICE] [75.4.14.59:51297-0#_AdminVHost] oops! 503 Service Unavailable
2009-02-11 11:22:32.025 [NOTICE] [75.4.14.59:51297-0#_AdminVHost] Content len: 0, Request line:
GET / HTTP/1.1
2009-02-11 11:22:44.192 [NOTICE] SIGUSR2 received, shutdown allowed ...
2009-02-11 11:22:44.192 [NOTICE] SIGTERM received, stop server...
2009-02-11 11:22:44.192 [NOTICE] [Child: 4256] Start shutting down gracefully ...
2009-02-11 11:22:44.705 [NOTICE] [Child: 4256] Shut down successfully!
2009-02-11 11:22:44.706 [NOTICE] [lsphp5] stop worker processes
2009-02-11 11:22:44.706 [INFO] [lsphp5] kill pid: 4257
2009-02-11 11:22:44.710 [NOTICE] [AutoRestarter] cleanup children processes and unix sockets belong to process 4256 !
2009-02-11 11:22:44.710 [INFO] [AutoRestater] Clean up child process with pid: 4257
2009-02-11 11:22:44.812 [NOTICE] [AutoRestarter] child process with pid=4256 exited with status=0!
2009-02-11 11:22:44.813 [NOTICE] [PID:4252] Server Stopped!

mistwang · #10 02-11-2009, 09:49 PM

Maybe another permission problem, it should be like

Code:

-r-sr-xr-x  1 root root   11680 Dec 19 20:59 lscgid.3.3.24