suexec issues with rails? maybe to do with permissions of ls user?

Discussion in 'Bug Reports' started by inspirix, Oct 30, 2006.

  1. inspirix

    inspirix Active Member

    Not sure if this is a bug but I can not seem to work around this issue unless I am simply overlooking a setting. Ive successfully set up rails apps on litespeed when running litespeed and all the rails apps under the same (one) username. Now what im attempting is running litespeed as nobody, and using the suexec Document root option. The result for me has been mixed:

    I set the rails template VH_ROOT to /home/$VH_NAME/app/$VH_NAME/current, and other paths similiarly as necessary.

    Ive tried it with Restrained on and off.

    I cannot Instantiate the rails virtual host, it claims that the directory (/home/joenoon/app/joenoon/current in my case) does not exist, even though:
    lrwxrwxrwx 1 joenoon joenoon 49 Oct 29 22:54 /home/joenoon/app/joenoon/current -> /home/joenoon/app/joenoon/releases/20061030035425

    Next, even though I cannot instantiate the vhost, it actually works to some degree. The application itself runs, there are no errors in stderror.log or error.log. However static files are bringing about 404's (images/javascript/etc). Debugging messages show:

    File not found [/home/joenoon/app/joenoon/releases/20061030035425/public/images/xxxxx/t_1_House013.jpg]
    However, that file exists:
    -rw-r--r-- 1 joenoon joenoon 15561 Oct 29 22:48 /home/joenoon/app/joenoon/releases/20061030035425/public/images/xxxxx/t_1_House013.jpg

    So, by the looks of it my guess is there is some disconnect between the user litespeed is running as (cant see these files and directories?), and then the suexec which kicks in later which can (which is why the app itself works).

    I would be fine with running litespeed as a privileged user to avoid any of these problems, but was unsure on how to create such a user for this purpose.

    Please dismiss this if I am overlooking something.

    Thanks for your great work,

  2. inspirix

    inspirix Active Member

    Forgot to say im running 2.2.4 standard on RHEL. If I am correct that this is a bug of some type, you can access my server if it would help. We can set that up through email if needed.


  3. inspirix

    inspirix Active Member

    Ok, I did get this working now. I finally found this thread:

    The method described there works, I had to set 0755 on /home/joenoon. This works in the short-term, but Im going to keep looking for a better way as I'd rather not expose user's directories to each other. That kind of seems like it defeats the purpose of suexec in the first place.

    Here is an idea, let me know if you thinks its valid or not:

    When litespeed forks(?) a process as the SuExec user, im guessing it has to be running as a superuser to do so? If thats the case, maybe the same could happen in the admin interface for checking directories exist, etc. It makes sense that the user 'nobody' cant see whats in another user's directory, but I dont see how you could ever successfully set up a new suexec vhost if the user is not 'nobody'?

    Maybe you can enlighten?

    Other route would be to find a better method than chmod 0755 and just make sure its well documented and understood. I will try my best to help out in this area.


  4. mistwang

    mistwang LiteSpeed Staff

    Unfortunately, you idea does not work. :(

    The solution is pretty simple, like what I suggested in the referred thread, you can chmod 0750 instead of 0755, and add "nobody" user as a member of the dedicated group of that user. this way, only "nobody" user can read that user's directory, other users cannot.
  5. inspirix

    inspirix Active Member

    Yep, your right, and the way you explain works perfectly. I put what you described into a mini howto step by step on my wiki at and the only difference is that im using chmod 0770. Not sure if thats a big deal or not, but I can update the wiki if it is.

    Would be cool to see something like that in the documentation if possible.
  6. mistwang

    mistwang LiteSpeed Staff

    0770 is fine as well, it just give "nobody" write permission to user's directory.

    Thanks for the link to your howto, we will add some thing in our document.

Share This Page