John WH Smith | 14 Jul 13:23 2014

Going half way between paranoid and owner mode

Hello,

I started using suPHP recently and I just can't get my permissions setup
correct.
I am using suPHP along with DBD MySQL, which allows me to store my users
and Apache virtual hosts into a MySQL database.

The server's contents have the following permissions :

-rw-r-x--- someuser www-data /home/users/someuser/
-rw-r----- someuser www-data /home/users/someuser/index.php

- "someuser" is a UNIX user stored in the MySQL database (link is made
through libnss-mysql and pam-mysql).
- "someuser" belongs to the "users" group. His home is
/home/users/someuser/.
- "someuser" and his scripts must not be able to access other homes in
/home/users.

Now, I am trying to use suPHP to remove the "www-data" group ownership
from the PHP scripts upon execution, but I need to keep the user ownership.
That is, in the above example, index.php should be executed as
someuser:users instead of www-data:www-data.

 - Owner mode allows me to set execution ownership to someuser:www-data,
which isn't quite it since I don't want the group to be www-data.
 - Paranoid mode requires me to set a static user AND group name, which
I can't do (all homes are handled by the same virtual host
configuration, which queries the database for each request).

(Continue reading)

Sebastian Marsching | 4 Jul 13:20 2014

Re: Handler for (null) returned invalid result code 70014

> Definitely a valid argument, but I don't see why these same concerns
> shouldn't apply to running PHP scripts, which are just as capable of causing
> damage and using the env variables maliciously as Perl scripts.

That is true, however suPHP filters some environment variables (in particular PHPRC and
LD_LIBRARY_PATH) that might be problematic for PHP.

The difference between suPHP and suExec is that suPHP uses a black-list and suExec a white-list. If you do
not know which kind of executables is run, a black-list obviously is the better approach.
Joe Gillotti | 3 Jul 12:32 2014
Picon

Re: Handler for (null) returned invalid result code 70014

Hey,

What if you try disabling/uninstalling suexec?

Not many people are completely aware of this but suPHP also works for 
executing one-off CGI scripts/binaries (I.E. not php) and can take the 
place of suexec.

I know that cPanel likes to enable suPHP and suexec at the same time but 
I'm very sure it patches them a bit.

Read the second item in this with regards to using it to replace suexec: 
http://debianaddict.com/2011/08/19/usually-ignored-features-of-suphp/

Joe

On 7/3/14, 3:21 AM, helmuth@... wrote:
> Dear Joe,
>
>
> On 03.07.2014 10:34, Joe Gillotti wrote:
>> Are you using apache/suphp/php compiled from source or from stock 
>> Debian's apt repo? If the
>> latter perhaps you could file this as a debian bug for those packages,
>>
> thank you for your response! I'm using stock packages from the Debian 
> LTS repo, only. I've seen this error 2012, too. It's not a new problem.
> Sure, I could file a bug to the debian team.
>
> I'm also using apache2-suexec-custom instead of apache2-suexec:
(Continue reading)

Helmuth Gronewold | 2 Jul 16:32 2014
Picon

Handler for (null) returned invalid result code 70014

Dear list,

I really need your help with this. I have two webserver clusters with 
mod_suphp 0.7.1 and Apache 2.2 (squeeze-lts). BalanceNG is placed 
infront of the webservers to load balance user requests in DSR mode. PHP 
sessions and data is stored on a reliable NFS server.
Multiple times a day users get an internal server error and the Apache 
logs say:

[Wed Jul 02 09:34:32 2014] [error] [client 9x.xx.xx.64] Handler for 
(null) returned invalid result code 70014, referer: 
http://www.example.com/user_update.php?action=upload&id=292931

In more than two cases the error was reproducible for the user only, but 
was gone the next day or after a few hours. Two months ago 6 out of 8 
users from one office got this problem and again it fixed itself the 
other day.

As you can see, the referer URL above says action=upload. The problem is 
not bound to file uploads. Sometimes scripts that could be used to 
upload files only changed two values with a few byte in POST size.

It is also not bound to a specific script. I've seen that error with 
multiple different scripts which go from mostly flat PHP files with 
structural programming to MVC and OOP. The only thing that most of the 
scripts have in common is, that they provide file upload functionality 
(which is not used every time...).

I've read every website on the six result pages google returned to this 
topic. No one found a clear solution to this. Some say a proxy or 
(Continue reading)

Michael Winterberg | 16 Feb 16:52 2014
Picon

Re: How to get more details ?

Hello,

i have the same problem now.
suPHP and mediawiki.
but the link to the solution is broken now.
do you remember how did you soled the problem?

thanks a lot for help

-----------------------------------------------------------------------------------------------------
Michael Winterberg (CTO)
find my profile <at>  michael.tischefrei.de
tischefrei.de GmbH | Franz-Schubert-Str. 3 | 36043 Fulda
Sitz der Gesellschaft: Fulda | Handelsregister: Amtsgericht Fulda HRB 6123
Geschäftsführer: Bernhard Fichtenbauer, Tobias Walter, Michael Winterberg
-----------------------------------------------------------------------------------------------------
facebook | twitter | google+ | youtube

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Lance | 27 Oct 23:57 2013
Picon

Help adding 2 new options

I hope someone can help me with this. I've been trying to add two new options to mod_suphp, basically suPHP_NProc and suPHP_NProc_Error I'm just not good enough with C to get it all working correctly.

I was wanting suPHP_NProc to set the maximum number of permitted PHP processes. (I know Apache has RLimitNProc, but I was just looking to add something that is suPHP specific.)

The other option suPHP_NProc_Error I was wanting to add to let you override the error code that is returned when the process limit is reached instead of returning a generic 500 error code (Internal Server Error).

Any help with this would be appreciated.
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
suphp | 13 Oct 13:21 2013

htaccess override suphp_ConfigPath

Howdy :-)

On debian 7 I've some virtual host (each virtual host as a php.ini does
not visible on ftp root).

i.e.

DocumentRoot /home/domain1/domain1/
suPHP_ConfigPath /home/domain1/

I need use htaccess and I modify AllowOverride from none to FileInfo:

AllowOverride FileInfo

Works :-)

But if I put (in htaccess) this line:

suPHP_ConfigPath /home/domain1/domain1/

I can write a NEW php.ini and override ALL security options!

What I should do?

Thanks

Pol
Sebastiaan Hoogeveen | 9 Oct 10:16 2013
Picon

Patch for logging of exceptions

Hi,

If SuPHP cannot run a script (e.g. because an Apache process limit has been reached) currently no error is
logged. The following very small patch makes exception information appear in the SuPHP log to help find
these (and possibly other) configuration issues:

---
diff -u -r suphp-0.7.2/src/Application.cpp suphp-0.7.2-patched/src/Application.cpp
--- suphp-0.7.2/src/Application.cpp     2013-05-20 13:24:54.000000000 +0200
+++ suphp-0.7.2-patched/src/Application.cpp     2013-10-09 09:14:55.000000000 +0200
 <at>  <at>  -136,6 +136,7  <at>  <at> 
         // So, if we get here, return with error code
         return 1;
     } catch (SoftException& e) {
+        logger.logError(e.toString());
         if (!config.getErrorsToBrowser()) {
             std::cerr << e;
             return 2;
---

I understand that SuPHP is no longer actively maintained, but it is still an immensely useful piece of
software to us. Not just because it seperates user scripts but also because it enables us to offer our
customers the option to choose the PHP version their websites run on.

Kind regards,

--

-- 
Sebastiaan Hoogeveen
<s.hoogeveen@...>

NederHost is ingeschreven bij de Kamer van Koophandel onder dossier 34099781.
AskApache | 6 Jun 04:15 2013

Compile/Build issue with new 0.7.2 version

Previously I could do this:

# cd /opt/DIST/ && curl -O
http://www.suphp.org/download/suphp-0.7.1.tar.gz && tar -xzf
suphp-0.7.1.tar.gz && cd suphp-0.7.1
# ./configure && make && sudo make install

But with 7.2:

# ./configure
configure: error: cannot find install-sh, install.sh, or shtool in
config "."/config

So I tried to autoreconf and was able to configure, but then make:

# make
Making all in src
make[1]: Entering directory `/opt/SOURCE/suphp-0.7.2/src'
make  all-recursive
make[2]: Entering directory `/opt/SOURCE/suphp-0.7.2/src'
Making all in apache2
make[3]: Entering directory `/opt/SOURCE/suphp-0.7.2/src/apache2'
/bin/sh ../../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
-I../../src  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE  -I/usr/include/httpd
-I/usr/include/apr-1 -pthread
-DSUPHP_PATH_TO_SUPHP=\"/usr/local/sbin/suphp\" -DSUPHP_USE_USERGROUP -g
-O2 -MT mod_suphp.lo -MD -MP -MF .deps/mod_suphp.Tpo -c -o mod_suphp.lo
mod_suphp.c
libtool: Version mismatch error.  This is libtool 2.4.2
Debian-2.4.2-1ubuntu1, but the
libtool: definition of this LT_INIT comes from libtool 2.2.6b.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.2
Debian-2.4.2-1ubuntu1
libtool: and run autoconf again.

I was able to get it to work by doing:

# aclocal && libtoolize --force && automake --add-missing && autoreconf

So now I do:

# cd /opt/DIST/ && curl -O
http://www.suphp.org/download/suphp-0.7.2.tar.gz && tar -xzf
suphp-0.7.2.tar.gz && cd suphp-0.7.2
# aclocal && libtoolize --force && automake --add-missing && autoreconf
&& ./configure && make && sudo make install

Which works perfectly.  You may want to regenerate the build though.. 
BTW thank you for this amazingly useful piece of software, you should
add a donation link to your site.

# webmaster askapache com 0x6DC3AB5F
Sebastian Marsching | 22 May 14:29 2013

suPHP End of Life Notice

Dear suPHP community,

suPHP has been around for more than ten years now.

As some of you have noticed, the development activity has declined with 
time, in particular over the last four years.

I started the suPHP project when I was sharing a server with some 
friends and thus we wanted each user to have her individual space. As 
over time servers became cheaper and cheaper, each person started to use 
a server of her own. For about the last six years, I have only been 
using suPHP because my server had been setup this way and there was no 
immediate reason to change.

Thus, I have not been personally interested in further developing suPHP 
for quite some time. In addition to that I hardly found time to take 
care of suPHP in the last few years. I am still very interested and 
active in the idea of open-source software, however as my interests 
shifted, the projects I have been working on lately shifted as well.

If you want to get an idea about which kind of projects I am talking 
about, you might want to have a look at my personal projects at 
http://projects.marsching.org/ and my company's open-source projects at 
http://oss.aquenos.com/.

In conclusion this has left suPHP in a state where it would be 
irresponsible to suggest to users that it is being actively maintained. 
For example the latest security update has been lying around for years 
before actually being released.

Therefore, I officially announce that suPHP has reached its end of life 
and will not be maintained by me in the future.

So does this mean that suPHP is dead? This entirely depends on you, the 
community.

At some points in time during the last years, I have seen quite some 
activity on the mailing-list, including people discussing bugs and new 
features and writing patches for them.

As suPHP is open-source software, everyone is free to keep building on 
top of it. Actually I hope that someone might be interested in 
maintaining suPHP in the future.

While I will not take an active role in this process, be assured that I 
will support it (e.g. by keeping this mailing-list available as long as 
needed or making the existing code-base available under a different OSS 
license, if this helps).

I want to thank all people who helped me with the suPHP project, be it 
by reporting bugs, sharing their ideas, writing patches or answering 
questions on the mailing-list. Thanks to all of you!

- Sebastian

Attachment (smime.p7s): application/pkcs7-signature, 5762 bytes
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Aki Tuomi | 20 May 19:37 2013
Picon

Patch to allow configure against 2.4 Apache

Hi!

Attached, a small fix for configure.ac to enable compilation on Apache 2.4. 

I have tested this myself, and am runnign apache 2.4 with suphp successfully.

Aki Tuomi
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Gmane