daniel-marschall | 20 Nov 21:35 2014
Picon

suPHP and mail logging

Hello,

I have a problem with suPHP and mail logging.

In php.ini I have following content to detect sending of spam:

mail.log = /var/log/php/mail.log

When I use mail() with one of my users, I get the error message that 
/var/log/php/mail.log is not writeable by the user, which is correct. 
But I expect that this file is written by www-user, since the writing 
process is an internal functionality of PHP's mail() function and cannot 
be exploited by the user in writing arbitary files, so I don't want that 
suPHP enforces the user-privileges to this internal functionality.

I can't use per-user-logfiles since I don't want that users remove 
their own log entries to hide sending spam.

What can I do?

Best regards
Daniel Marschall
Michele Cerioni | 12 Nov 11:54 2014
Picon

chroot

Hi,

I've some  problems to configuring suphp with chroot option.

Using in suphp.conf chroot=/ everythigs is working, while using
chroot=/home/web I have this error on web page:

Internal Server Error
Could not execute script "/usr/local/www/demoprotocol.it/prova/ss.php3"

There aren't any errors about error_log file of apache.

I think the problem is on the chroot enviroment of chroot. I tested this 
with the command

chroot --userspec=517 /home/web /usr/local/apache/php/bin/php-cgi 
/usr/local/www/demoprotocol.it/prova/ss.php3
and works

Could someone help me?
thanks
Michele
Michele Cerioni | 31 Oct 14:49 2014
Picon

chroot

Hi,

I've some  problems to configuring suphp with chroot option.

Using in suphp.conf chroot=/ everythigs is working, while using
chroot=/home/web I have this error on web page:

Internal Server Error
Could not execute script "/usr/local/www/demoprotocol.it/prova/ss.php3"

There aren't any errors about error_log file of apache.

I think the problem is on the chroot enviroment of chroot. I tested this 
with the command

chroot --userspec=517 /home/web /usr/local/apache/php/bin/php-cgi 
/usr/local/www/demoprotocol.it/prova/ss.php3
and works

Could someone help me?
thanks
Michele
John WH Smith | 14 Jul 13:23 2014

Going half way between paranoid and owner mode

Hello,

I started using suPHP recently and I just can't get my permissions setup
correct.
I am using suPHP along with DBD MySQL, which allows me to store my users
and Apache virtual hosts into a MySQL database.

The server's contents have the following permissions :

-rw-r-x--- someuser www-data /home/users/someuser/
-rw-r----- someuser www-data /home/users/someuser/index.php

- "someuser" is a UNIX user stored in the MySQL database (link is made
through libnss-mysql and pam-mysql).
- "someuser" belongs to the "users" group. His home is
/home/users/someuser/.
- "someuser" and his scripts must not be able to access other homes in
/home/users.

Now, I am trying to use suPHP to remove the "www-data" group ownership
from the PHP scripts upon execution, but I need to keep the user ownership.
That is, in the above example, index.php should be executed as
someuser:users instead of www-data:www-data.

 - Owner mode allows me to set execution ownership to someuser:www-data,
which isn't quite it since I don't want the group to be www-data.
 - Paranoid mode requires me to set a static user AND group name, which
I can't do (all homes are handled by the same virtual host
configuration, which queries the database for each request).

(Continue reading)

Sebastian Marsching | 4 Jul 13:20 2014

Re: Handler for (null) returned invalid result code 70014

> Definitely a valid argument, but I don't see why these same concerns
> shouldn't apply to running PHP scripts, which are just as capable of causing
> damage and using the env variables maliciously as Perl scripts.

That is true, however suPHP filters some environment variables (in particular PHPRC and
LD_LIBRARY_PATH) that might be problematic for PHP.

The difference between suPHP and suExec is that suPHP uses a black-list and suExec a white-list. If you do
not know which kind of executables is run, a black-list obviously is the better approach.
Joe Gillotti | 3 Jul 12:32 2014
Picon

Re: Handler for (null) returned invalid result code 70014

Hey,

What if you try disabling/uninstalling suexec?

Not many people are completely aware of this but suPHP also works for 
executing one-off CGI scripts/binaries (I.E. not php) and can take the 
place of suexec.

I know that cPanel likes to enable suPHP and suexec at the same time but 
I'm very sure it patches them a bit.

Read the second item in this with regards to using it to replace suexec: 
http://debianaddict.com/2011/08/19/usually-ignored-features-of-suphp/

Joe

On 7/3/14, 3:21 AM, helmuth@... wrote:
> Dear Joe,
>
>
> On 03.07.2014 10:34, Joe Gillotti wrote:
>> Are you using apache/suphp/php compiled from source or from stock 
>> Debian's apt repo? If the
>> latter perhaps you could file this as a debian bug for those packages,
>>
> thank you for your response! I'm using stock packages from the Debian 
> LTS repo, only. I've seen this error 2012, too. It's not a new problem.
> Sure, I could file a bug to the debian team.
>
> I'm also using apache2-suexec-custom instead of apache2-suexec:
(Continue reading)

Helmuth Gronewold | 2 Jul 16:32 2014
Picon

Handler for (null) returned invalid result code 70014

Dear list,

I really need your help with this. I have two webserver clusters with 
mod_suphp 0.7.1 and Apache 2.2 (squeeze-lts). BalanceNG is placed 
infront of the webservers to load balance user requests in DSR mode. PHP 
sessions and data is stored on a reliable NFS server.
Multiple times a day users get an internal server error and the Apache 
logs say:

[Wed Jul 02 09:34:32 2014] [error] [client 9x.xx.xx.64] Handler for 
(null) returned invalid result code 70014, referer: 
http://www.example.com/user_update.php?action=upload&id=292931

In more than two cases the error was reproducible for the user only, but 
was gone the next day or after a few hours. Two months ago 6 out of 8 
users from one office got this problem and again it fixed itself the 
other day.

As you can see, the referer URL above says action=upload. The problem is 
not bound to file uploads. Sometimes scripts that could be used to 
upload files only changed two values with a few byte in POST size.

It is also not bound to a specific script. I've seen that error with 
multiple different scripts which go from mostly flat PHP files with 
structural programming to MVC and OOP. The only thing that most of the 
scripts have in common is, that they provide file upload functionality 
(which is not used every time...).

I've read every website on the six result pages google returned to this 
topic. No one found a clear solution to this. Some say a proxy or 
(Continue reading)

Michael Winterberg | 16 Feb 16:52 2014
Picon

Re: How to get more details ?

Hello,

i have the same problem now.
suPHP and mediawiki.
but the link to the solution is broken now.
do you remember how did you soled the problem?

thanks a lot for help

-----------------------------------------------------------------------------------------------------
Michael Winterberg (CTO)
find my profile <at>  michael.tischefrei.de
tischefrei.de GmbH | Franz-Schubert-Str. 3 | 36043 Fulda
Sitz der Gesellschaft: Fulda | Handelsregister: Amtsgericht Fulda HRB 6123
Geschäftsführer: Bernhard Fichtenbauer, Tobias Walter, Michael Winterberg
-----------------------------------------------------------------------------------------------------
facebook | twitter | google+ | youtube

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Lance | 27 Oct 23:57 2013
Picon

Help adding 2 new options

I hope someone can help me with this. I've been trying to add two new options to mod_suphp, basically suPHP_NProc and suPHP_NProc_Error I'm just not good enough with C to get it all working correctly.

I was wanting suPHP_NProc to set the maximum number of permitted PHP processes. (I know Apache has RLimitNProc, but I was just looking to add something that is suPHP specific.)

The other option suPHP_NProc_Error I was wanting to add to let you override the error code that is returned when the process limit is reached instead of returning a generic 500 error code (Internal Server Error).

Any help with this would be appreciated.
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
suphp | 13 Oct 13:21 2013

htaccess override suphp_ConfigPath

Howdy :-)

On debian 7 I've some virtual host (each virtual host as a php.ini does
not visible on ftp root).

i.e.

DocumentRoot /home/domain1/domain1/
suPHP_ConfigPath /home/domain1/

I need use htaccess and I modify AllowOverride from none to FileInfo:

AllowOverride FileInfo

Works :-)

But if I put (in htaccess) this line:

suPHP_ConfigPath /home/domain1/domain1/

I can write a NEW php.ini and override ALL security options!

What I should do?

Thanks

Pol
Sebastiaan Hoogeveen | 9 Oct 10:16 2013
Picon

Patch for logging of exceptions

Hi,

If SuPHP cannot run a script (e.g. because an Apache process limit has been reached) currently no error is
logged. The following very small patch makes exception information appear in the SuPHP log to help find
these (and possibly other) configuration issues:

---
diff -u -r suphp-0.7.2/src/Application.cpp suphp-0.7.2-patched/src/Application.cpp
--- suphp-0.7.2/src/Application.cpp     2013-05-20 13:24:54.000000000 +0200
+++ suphp-0.7.2-patched/src/Application.cpp     2013-10-09 09:14:55.000000000 +0200
 <at>  <at>  -136,6 +136,7  <at>  <at> 
         // So, if we get here, return with error code
         return 1;
     } catch (SoftException& e) {
+        logger.logError(e.toString());
         if (!config.getErrorsToBrowser()) {
             std::cerr << e;
             return 2;
---

I understand that SuPHP is no longer actively maintained, but it is still an immensely useful piece of
software to us. Not just because it seperates user scripts but also because it enables us to offer our
customers the option to choose the PHP version their websites run on.

Kind regards,

--

-- 
Sebastiaan Hoogeveen
<s.hoogeveen@...>

NederHost is ingeschreven bij de Kamer van Koophandel onder dossier 34099781.

Gmane