Support

sofatime · #1 07-13-2006, 06:36 AM

I have just installed lsws and have two questions:

1) I have created a virtual host and have set "CGI Chroot Mode" to "Virtual Host Root". This does not have any effect on PHP-requests, I can still read files like /etc/passwd (not using open_basedir). Is this correct?

2) I have deleted the global PHP Handler and External App and created one in the virtual host using "CGI Set UID Mode DocRoot UID". This works great. When I open phpinfo.php I cannot see APC anymore (which showed up ok in phpinfo.php with the global php configuration). Why is that?

Thanks!
Daniel

mistwang · #2 07-13-2006, 08:31 AM

Answers to your questions:
1. It is possible but not recommended, as you need to build the jail environment manually for each every chroot vhost. that is not a easy job. Instead, we recommend chroot at server level along with suEXEC, our Enterprise edition has the best chroot support which can build the initial jail environment automatically.

2. Probably the setUID PHP process does not use the default php.ini, just check which php configuration file is used in phpinfo()'s output. Other than that, you should check file permissions. lsws/logs/stderr.log may log something useful.

Arkadius · #3 07-13-2006, 09:03 AM

sofa are you using more than one site ?

if so please post your php handler.
i am testing since 2 days without any progress.

thank you

mistwang · #4 07-13-2006, 12:55 PM

Arkadius,

Are you talking about PHP suEXEC for multiple vhosts?
You need to set http://www.litespeedtech.com/docs/co...hCGISetUidMode to "Docroot UID", then define lsphp external app and script handler for that vhost, cannot share the global PHP handler.

Arkadius · #5 07-13-2006, 03:41 PM

could you please post a direct example for the lsphp external app ?

i have around 120 templates (each customer is created as a template) each with their vhosts listed inside of the template.

i would like to have every template run its own php with dedicated user ids.
but that isnt really working at the moment.

i cant see any way how i would create the desired lsphp that will run like you posted.

mistwang · #6 07-13-2006, 04:42 PM

120 templates! You kidding!

If each template has only one vhost, you should just create the vhost directly.

For a template, you should set template->security tab -> "CGI Resource Control" -> "CGI Set UID Mode".

When you define an external app in a template, you should use some thing like "$VH_NAME_lsphp" as the app name.

Arkadius · #7 07-13-2006, 11:00 PM

well most of the templates have more than 2 vhosts, some have up to 80
i dont want to split them up into vhosts by domain, i rather have them as template so if i change someting the customer account is affected and not just a single domain.

my security tab looks like this for the default template that i spread around :

question now is,

what settings do i need in my lsphp application in order to have it run under the users id. is it possible for you to post a screenshot of your configuration ? or pass the xml file? and how would i tell the vhost to use that external application to process .php files ? i have only found the global solution.

mistwang · #8 07-14-2006, 04:37 AM

CGI Chroot Mode should be "Same as Server" unless you want to build chroot jail environment for each every vhost. too much trouble.

To let a vhost use this own lsphp, you should add a PHP LSAPI application with similar configuration as the global one. make sure the name is like "$VH_NAME_lsphp", then under "General" tab -> "Script Handler Definition", add a script handler for ".php" using $VH_NAME_lsphp as the handler. This will override the global php handler configuraiton.

sofatime · #9 07-17-2006, 08:56 AM

Thank you. I have now installed lsws with chroot and I have now a lsphp process per virtual host with the user of that virtual host. So it looks very good so far.
I had one more problem: You mentioned in another post, that one should have a user and a group per virtual host and use permissions 660 so no customer can read data of another customer. Additionally one should add the lsws user to every customer group so lsws can still read files. That is a good solution but on Solaris you can put a user only in 16 groups (or 32 if you change that limit). Therefore I didn't add the lsws user to every group but used ACLs to add the lsws user to the directories. Worked too. Anybody got a better solution?

About APC and phpinfo: I am a bit confused which php.ini that could be. There is no other php.ini. phpinfo says "Configuration File (php.ini) Path: ../conf". But is this meant from the virtual host root?

Daniel

mistwang · #10 07-17-2006, 09:39 AM

Quote:

but on Solaris you can put a user only in 16 groups (or 32 if you change that limit). Therefore I didn't add the lsws user to every group but used ACLs to add the lsws user to the directories. Worked too. Anybody got a better solution?

That can be a problem, I am not sure Linux has this limit or not, will investigate. Using ACL is a good solution too, probably even better for system supports that.

Quote:

About APC and phpinfo: I am a bit confused which php.ini that could be. There is no other php.ini. phpinfo says "Configuration File (php.ini) Path: ../conf". But is this meant from the virtual host root?

If phpinfo shows only "../conf" then PHP cannot found the php.ini in the give path, that path should be a relative path to the lsphp executable, if you make a copy of lsphp to every vhost, then you should copy php.ini as well. I would rather use one global lsphp binary, suEXEC does not affected unless you want to use different php.ini for different user.