Is there something like CGI Set *GID* Mode?

Discussion in 'Install/Configuration' started by philwo, Aug 16, 2006.

  1. philwo

    philwo Member


    I have PHP running as the user who owns the docroot, but is it possible to set the GID too? A static GID (nogroup) would be okay. I ask, because I thought of the following security concept:

    LiteSpeed runs as user www-data, group www-data
    all docroots (and files / dirs in there) are owned by user XYZ, group www-data and have mode 0750.

    So, the webserver is able to read the files he should serve, while the user and his scripts are able to read and write in the docroot. Now I have a problem - when PHP runs as user XYZ, group www-data, a malicious PHP-script could still read (but not write) other users docroots (because I can't use chroot). Running PHP-scripts as group nogroup would fix this problem.

  2. mistwang

    mistwang LiteSpeed Staff

    It is not available for current LSWS, we may added it later.
    However, you can let each user has its own group, and add "www-data" user to all those groups. Or you can use ACLs if it is available.
  3. philwo

    philwo Member

    Thank you very much, this solution works perfectly!

    I have two issues left however:

    1) When I setup the permissions as you said (owner of the docroot is user XY with his own group, www-data beeing a member of this users group and only allowing access for the user and his group to his docroot), AWstats gives me an error:

    ls -l /data/www/ gives:
    The awstats directory has permissions:
    When I do a chown -R benedikt.benedikt <DOCROOT>, it works fine. But these permissions always get reset to www-data.www-data on every update!

    My AWstats setup:
    If I set Update Mode to Static, it works too without any chown'ing necessary, but then there are some features missing in comparison to dynamic mode.

    2) How can I automatically set open_basedir for every Virtual Host in a template? Something like: Set it to "$VH_ROOT:/srv/php/lib/php".

    Thank you so much! As soon as I get enough customers to afford it, I'll buy the enterprise edition instantly :)
    Last edited: Aug 17, 2006
  4. mistwang

    mistwang LiteSpeed Staff

    The awstats part have to be fixed to make it set proper permission when suEXEC is used.
    Setting open_basedir in a template needs code changes on our side, however, if php is started in suEXEC mode, it may not be necessary, but it is always a good thing to have.
    Those will be in 2.2 release.
  5. xing

    xing LiteSpeed Staff

    philtwo, LiteSpeed Web Server 2.2 has been released with the Awstats suEXEC fix and more. :)
  6. philwo

    philwo Member

    Thank you xing, it works perfectly now! :)
  7. philwo

    philwo Member


    is it possible with the current 2.2.6 Std version to set the open_basedir restriction for virtual hosts (either automatically using a template or specifically for each virtual host)? I have PHP using LSAPI and start it with suEXEC as the user who owns the virtual host.

    I believe in Apache I could use something like "php_admin_value open_basedir XYZ" in each <VirtualHost> section - what is the corresponding method for Litespeed 2.2.6? :)

    Thank you for your help,
  8. mistwang

    mistwang LiteSpeed Staff

    You can do the same to virtual host by adding the same configuration line to the "Apache Style Config" entry at the bottom of "General" tab.
    You need to instantiate a template member to create the vhost configuration file.
  9. philwo

    philwo Member

    Just to make sure I understood correctly: To set the open_basedir directive I have to instantiate all virtual hosts and set it individually for each of them - there is no way to specify something like "php_admin_value open_basedir $VH_ROOT" in my template, right? :)

  10. mistwang

    mistwang LiteSpeed Staff

    My previous reply was wrong, using $VH_ROOT, $DOC_ROOT in Apache configuration like what you described should work well, even in template. You can verify it with a phpinfo page.

    I forgot when the change was made, probably right after this issue was mentioned. :)
  11. philwo

    philwo Member

    It works perfectly in the template! With just one change I have secured all these domains.. thank you so much - Litespeed is really the best webserver I ever used. :)

  12. mistwang

    mistwang LiteSpeed Staff

    Absolutely! :cool:
    Please help us spread the words.:)

Share This Page