'force gid' not working

Discussion in 'PHP' started by _qwerty_, Feb 9, 2009.

  1. _qwerty_

    _qwerty_ Member

    The way I understood it, the main reason moving from Apache to Lightspeed is to have secure shared environment without compromising performance. However, it appears that it cannot be done with Lightspeed, unless I'm doing something wrong. Please let me know whether I’m indeed missing something important. Here is what I've got:

    What I’m trying to achieve is to prevent user01 running on domain01.com something simple as test-access-permissions.php :
    header('Content-Type: text/plain');
    print file_get_contents ('/var/www/site02/db.inc.php');
    to view source code of db.inc.php belonging to user02 who is hosting his files on domain2.com

    Here is my setup:

    Two virtual hosts domain1.com domain2.com with docroots residing on
    /var/www/site01 (user01:nobody 750)

    /var/www/site02 (user02:nobody 750)

    For domain1 and domain 2, respectively

    test-access-permissions.php user01:nobody 640
    dn.inc.php user02:nobody 640

    Litespeed running as nobody:nobody

    I created two virtual hosts using web console and changed ‘force gid’ to 90000 which corresponds to
    nogroup:x:90000: in /etc/group file
    Security settings for both domains are set to
    Symbolic Link = Yes
    Enable Scripts/ExtApps = Yes
    Restrained = Yes
    ExtApp Set UID Mode = DocRoot UID
    ExtApp Chroot Mode = Virtual Host Root
    ExtApp Chroot Path = Not Set

    What I expect to see is this: when user01 trying to view files of user02 he should get some kind of ‘permission denied’ error. /var/www/site02 should be readable only to web server and user02 but not accessible by user02 because 'force gid' rule is in place.
    But in fact all I need for my setup is for user01 to view files of user02 is to run the above mentioned script.
    Please advise.

    My ‘Load Apache Configuration’ is set to NO. So I’m not using any Lightspeed capabilities which would help me to utilize existing Apache’s configuration files.
    Last edited: Feb 9, 2009
  2. mistwang

    mistwang LiteSpeed Staff

    You can have PHP script to print "UID/GID" that PHP process run as.
    For PHP suEXEC to work properly, you have to setup vhost level lsphp external app and script handler.
  3. _qwerty_

    _qwerty_ Member

    >You can have PHP script to print "UID/GID" that PHP process run as.

    Ok, I modified my scripts to add output of UID/GID as follows:

    $uid = posix_getuid();
    echo var_export(posix_getpwuid($uid),true);

    but it looks like I'm just getting the GID value from /etc/passwd. What whould be the correct way of geting actual GID overrided by “force GID” option?

    >For PHP suEXEC to work properly, you have to setup vhost level lsphp external app and script >handler.

    That was helpful. Forgot to mention in the original post that I created my vhosts using PHP_SuEXEC – one of thee pre-installed virtual host templates. But I modified script handler to server-wide value in template – that was the problem.
  4. _qwerty_

    _qwerty_ Member

    I actually found a better solution
    $gid = getmygid();
    echo "gid=".$gid;

    but still it does not show 'forced' gid value
    Last edited: Feb 10, 2009
  5. mistwang

    mistwang LiteSpeed Staff

    found a bug in lscgid, please PM me your email and the OS/LSWS release you were using, I will send you updated lscgid binary.
  6. _qwerty_

    _qwerty_ Member

    Personally, I like the old version better :) With the original 3.3.24 version I managed to prevent users from accessing files outside their domains and to even lock some users inside their directories, using php_admin_value and open_basedir, as per your suggestion in other post. However, with the new binary and old setup I'm getting some strange results.

    Running this script
    $uid = posix_getuid();
    echo var_export(posix_getpwuid($uid),true);

    always returns 'nobody' 'nobody', irrespective who the owner of a file is and all my scripts can be read by anyone as a result.

    Please let me know if that was your intention -- in this case I must confess I'm completely at a loss here -- or maybe somehow I was sent a wrong version of binary.

    Further, I'm still not sure what exactly we are trying to fix. The only problem/question that I reported in this post was that I wasn't able to make php script to output the correct value matching 'force gid' value. Perhaps I was using the wrong method to get this value -- I'm still under impression that posix_getpwuid() returns gid of a php file and not the actual 'effective' gid of a process which executes php script.
  7. mistwang

    mistwang LiteSpeed Staff

    I think you missed the set uid bit on lscgid.3.3.24 when you replace the binary. so suEXEC does not work any more.
  8. _qwerty_

    _qwerty_ Member

    Yes, you are right. I just forgot to change the owner of a file to root. Let me try again.
  9. _qwerty_

    _qwerty_ Member

    Ok now it is root:root 104555 and I'm getting
    "503 Service Unavailable
    The server is temporarily busy, try again later!"

    Here is the log output:

    2009-02-11 11:22:11.395 [NOTICE] Loading LiteSpeed/3.3.24 Standard ...
    2009-02-11 11:22:11.499 [NOTICE] [ADMIN] server socket: uds://usr/local/lsws/admin/tmp/admin.sock.7077
    2009-02-11 11:22:11.499 [NOTICE] Loading configuration from /usr/local/lsws/conf/httpd_config.xml ...
    2009-02-11 11:22:11.502 [INFO] old priority: 0, new priority: 0
    2009-02-11 11:22:11.502 [INFO] [config:server:basic] For better obscurity, server version number is hidden in the response header.
    2009-02-11 11:22:11.507 [NOTICE] The maximum number of file descriptor limit is set to 1024.
    2009-02-11 11:22:11.521 [WARN] 2009-02-11 11:22:11.524 [ERROR] [config:template:centralConfigLog] Listener [Default] does not exist
    2009-02-11 11:22:11.525 [ERROR] [config:template:pHP_SuEXEC] Listener [Default] does not exist
    2009-02-11 11:22:11.525 [ERROR] [config:template:EasyRailsWithSuEXEC] Listener [Default] does not exist
    2009-02-11 11:22:11.528 [NOTICE] [child: 4256] Successfully change current user to nobody
    2009-02-11 11:22:11.528 [NOTICE] [Child: 4256] Core dump is enabled.
    2009-02-11 11:22:11.528 [NOTICE] [Child: 4256] Setup swapping space...
    2009-02-11 11:22:11.529 [NOTICE] [Child: 4256] LiteSpeed/3.3.24 Standard starts successfully!
    2009-02-11 11:22:11.529 [NOTICE] [AutoRestarter] new child process with pid=4256 is forked!
    2009-02-11 11:22:12.087 [INFO] [HTAccess] Updating configuration from [/var/www/site01/.htaccess]
    2009-02-11 11:22:12.088 [INFO] [lsphp5] add child process pid: 4257
    2009-02-11 11:22:12.088 [INFO] [lsphp5] pid list size: 1
    2009-02-11 11:22:12.102 [NOTICE] [AutoUpdate] Checking for new releases...
    2009-02-11 11:22:12.141 [INFO] [AutoUpdate] No new update.
    2009-02-11 11:22:22.361 [INFO] [AdminPHP] pid list size: 1
    2009-02-11 11:22:22.361 [INFO] [AdminPHP] add child process pid: 4281
    2009-02-11 11:22:22.362 [INFO] Remove pid: 4281
    2009-02-11 11:22:22.362 [INFO] Pid: 4281 associated with [AdminPHP]
    2009-02-11 11:22:22.363 [INFO] [AdminPHP] pid list size: 2
    2009-02-11 11:22:22.363 [INFO] [] add child process pid: 4282
    2009-02-11 11:22:22.363 [INFO] [AdminPHP] pid list size: 1, pid stop list size: 0
    2009-02-11 11:22:22.364 [INFO] Remove pid: 4282
    2009-02-11 11:22:22.364 [INFO] Pid: 4282 associated with [AdminPHP]
    2009-02-11 11:22:22.365 [INFO] [AdminPHP] pid list size: 2
    2009-02-11 11:22:22.365 [INFO] [] add child process pid: 4283
    2009-02-11 11:22:22.365 [INFO] [AdminPHP] pid list size: 1, pid stop list size: 0
    2009-02-11 11:22:22.366 [INFO] Remove pid: 4283
    2009-02-11 11:22:22.366 [INFO] Pid: 4283 associated with [AdminPHP]
    2009-02-11 11:22:22.367 [INFO] [AdminPHP] pid list size: 2
    2009-02-11 11:22:22.367 [INFO] [] add child process pid: 4284
    2009-02-11 11:22:22.367 [INFO] [AdminPHP] pid list size: 1, pid stop list size: 0
    2009-02-11 11:22:22.368 [INFO] Remove pid: 4284
    2009-02-11 11:22:22.368 [INFO] Pid: 4284 associated with [AdminPHP]
    2009-02-11 11:22:22.368 [INFO] [AdminPHP] pid list size: 0, pid stop list size: 0
    2009-02-11 11:22:22.368 [NOTICE] [AdminPHP] stop worker processes
    2009-02-11 11:22:22.368 [INFO] [AdminPHP] 1 request being processed, kill external app later.
    2009-02-11 11:22:32.025 [INFO] [] ExtConn timed out while processing.
    2009-02-11 11:22:32.025 [INFO] [] connection to [UDS://tmp/lshttpd/admin_php.sock] on request #0, Connection timed out!
    2009-02-11 11:22:32.025 [NOTICE] [] oops! 503 Service Unavailable
    2009-02-11 11:22:32.025 [NOTICE] [] Content len: 0, Request line:
    GET / HTTP/1.1
    2009-02-11 11:22:44.192 [NOTICE] SIGUSR2 received, shutdown allowed ...
    2009-02-11 11:22:44.192 [NOTICE] SIGTERM received, stop server...
    2009-02-11 11:22:44.192 [NOTICE] [Child: 4256] Start shutting down gracefully ...
    2009-02-11 11:22:44.705 [NOTICE] [Child: 4256] Shut down successfully!
    2009-02-11 11:22:44.706 [NOTICE] [lsphp5] stop worker processes
    2009-02-11 11:22:44.706 [INFO] [lsphp5] kill pid: 4257
    2009-02-11 11:22:44.710 [NOTICE] [AutoRestarter] cleanup children processes and unix sockets belong to process 4256 !
    2009-02-11 11:22:44.710 [INFO] [AutoRestater] Clean up child process with pid: 4257
    2009-02-11 11:22:44.812 [NOTICE] [AutoRestarter] child process with pid=4256 exited with status=0!
    2009-02-11 11:22:44.813 [NOTICE] [PID:4252] Server Stopped!
  10. mistwang

    mistwang LiteSpeed Staff

    Maybe another permission problem, it should be like

    -r-sr-xr-x  1 root root   11680 Dec 19 20:59 lscgid.3.3.24
  11. _qwerty_

    _qwerty_ Member

    by 104555 I ment -r-sr-xr-x in octal notation not the size. sorry for the confusion.

    So besides size and timestamp, they look exactly the same

    old one
    -r-sr-xr-x  1 root root 11680 Feb  6 07:56 lscgid.3.3.24
    new one
    -r-sr-xr-x  1 root root 15138 Feb 11 08:53 lscgid.3.3.24
    Last edited: Feb 12, 2009
  12. mistwang

    mistwang LiteSpeed Staff

    Please check stderr.log see if anything logged.
    Will it work if you take the "Set UID" bit off?
  13. _qwerty_

    _qwerty_ Member

    Yes, but all scripts will run as nobody:nobody

    The only thing I ever had in this log is
    2009-02-12 06:45:11.630 sh: /usr/local/bin/ftpwho: No such file or directory
    which puzzled me a little (is LiteSpeed aware of presence of ftp server and trying to get some info from it?). But it has nothing to do with a new binary. It was there before swapping.
  14. mistwang

    mistwang LiteSpeed Staff

    It is not related.
    Are you using a real group for the Force GID?

    looks like syscall "setgroups(1, &gid);" failed for some reason.

    Which OS are you using?
  15. _qwerty_

    _qwerty_ Member

    in /etc/group i have
    and the force gid is set to 90000

    It is the Scientific Linux distribution.
    Here is /proc/version output
    Linux version 2.6.9-78.0.8.EL.cernsmp (root@lxcert-i386-old.cern.ch) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-10)) #1 SMP Thu Nov 27 15:19:42 CET 2008
  16. mistwang

    mistwang LiteSpeed Staff

    How about trying a regular CGI script which print the output of "id"?
    Maybe try

    strace -f -p <pid_of_lshttpd>

    it will show what happened when lshttpd tries to start PHP in suEXEC mode.
  17. gosborne

    gosborne Member

    Did this ever get resolved? I'm having a very similar issue with my installation of litespeed as well.
  18. mistwang

    mistwang LiteSpeed Staff

    Please try 4.0rc1 release.
  19. gosborne

    gosborne Member

    Okay, we've updated but it still returns the same information.

    This is on Ubuntu server 8.04, for what it's worth.
  20. mistwang

    mistwang LiteSpeed Staff

    We could not reproduce this, can you please try the 4.0 release package, just change the version number in link to 4.0rc1 package.

Share This Page