conf/vhconf.xml is not a valid file AFTER upgrade

[ikiji]

Hi,

Ok, so we have a few sites on a CentOS VPS.

Each site is inside:

/home/<user1>
/home/<user2>
etc

Permissions of /home/ are set as:
USER GROUP DIRECTORY
drwx--x--- 6 user1 user1 4096 Oct 23 2011 user1
drwx--x--- 6 user2 user2 4096 Oct 23 2011 user2


We issue the commands:
usermod -a -G user1 lsadm
usermod -a -G user1 nobody


Then when we go into Configuration -> Virtual Hosts and the site for user1 we can update the settings and the vhconf.xml is written to fine.

Every so often, when coming back to the LiteSpeed admin to look at the config for a site, we get the dreaded red writing error message saying the vhconf.xml is not present/accessible.

Issuing the first usermod command as above and a graceful restart fixes it

I've noticed this happening AFTER each upgrade and need to monitor and see if that was coincidence or not.

Can anyone think why 'user1' would be disappearing from the group 'lsadm'?
Is the upgrade for some reason resetting the group?

Any help/suggestions for securing the sites better would be much appreciated.

 

[NiteWave]

what's the permission of conf/, conf/vhconf.xml ?

 

[ikiji]

Hi

/home/user1:

drwxrwxr-x 2 user1 user1 4096 Nov 27 2011 conf
-rw-r--r-- 1 lsadm lsadm 831 Nov 27 2011 vhconf.xml

As mentioned, it works fine after adding user1 to the lsadm group

BUT

Why would an upgrade touch group assigments?
I'm finding that it stops working and that by re-issuing the usermod command it starts working again.

Many thanks

 

[NiteWave]

I can reproduce the issue you reported on centOS:
#groups lsadm
lsadm : lsadm nobody user1

after upgrade:
#groups lsadm
lsadm : lsadm nobody

and it can be fixed by change line 905 of functions.sh from
usermod -G $WS_GROUP lsadm
to
usermod -a -G $WS_GROUP lsadm

we'll estimate if this change has any other side effect.

however, is it a good practice?
assume you have 1000 users, will you add lsadm to all these 1000 groups?

 

[ikiji]

Hi NiteWave,

Thank you.

More than happy to look at how we have it setup if you can 'recommend' a better method for securing each user's space?

 

[NiteWave]

not sure, maybe you can refer
Virtual Host Templates -> EasyRailsWithSuEXEC

 

[ikiji]

Is that going to tell us the best users/groups to run things under?

We don't plan on this server having max of more than 5 sites.

So is what we've got that bad practice?

 

[NiteWave]

if so, your way is ok and not a problem. just searched, a user(here lsadm) belonging to max number of groups is 32 or 16. if only 5 users, I think it's ok.

please wait for our development's investigation result.

 

[ikiji]

Always keen to ensure we're following best practices.

So if anyone can suggest the best way to run Litespeed?

If we set each home/user/ as 'lsadm' then they could see each other's content, hence why we did it they way we did.

 

[mistwang]

and it can be fixed by change line 905 of functions.sh from
usermod -G $WS_GROUP lsadm
to
usermod -a -G $WS_GROUP lsadm

applied to functions.sh

 

[ikiji]

... which will be in the next release?

Thank you.

At least I'm not going mad, thought there were gremlins on the server