Apache SuexecUserGroup and group permissions on fedora with joomla

Need help with the Administration of your Joomla! 3.x site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sat Jan 05, 2019 6:08 pm

I'm having trouble with permissions and ownership on a fedora28 system with apache-2.4 and joomla-3.9. I'd like to be able to have only the minimal number of files necessary to be owned by apache and have an ssh/sftp user have access to read and write every file in the document root.

I'm trying to solve two problems:
  • Provide ability for ssh/sftp users to write files within the document root
  • Provide apache with only the minimal ability necessary to write/delete files, while not being restricted from reading
The problem is that creating files with 664 ownership causes many of the extensions like Akeeba Backup to complain that the files are too relaxed and insist it must be 644.

I've loaded mod_suexec and enabled it with "Suexec on" and configured SuexecUserGroup to the name of the ssh/sftp user and "apache":

Code: Select all

SuexecUserGroup ftpuser apache
then changed the ownership of all files and directories to ftpuser.apache, but this only works when files are created or modified by the ftpuser.

I've then gone through and set ownership to a few specific files that apache needs read/write access to for normal operation.

Code: Select all

#!/bin/bash

PLACES='
administrator/backups
administrator/components
administrator/modules
administrator/templates
administrator/language
administrator/cache
cache
components
images
images/banners
images/stories
language
media
modules
templates
tmp
'
for i in $PLACES; do chown -R apache:apache $i; chmod g+w $i; done

chmod g+w tmp components language language/en-GB logs modules 
administrator/components administrator/language \
    administrator/language/en-GB
Even after configuring suexec in this way, apache can't delete files owned by ftpuser with permissions 644. Apache needs the ability to write to more than what's listed when doing upgrades or extension updates.

The problem is that the apache server is running as user apache, so any files that it writes would have to be owned by the apache user, assuming the permissions were 644 or 755.

I thought about using sgid here, changing permissions of all directories to 2775, so any files created by the apache user would maintain the apache group ownership and 664 permissions, but that doesn't help with security and keeping Akeeba Backup happy with the 644 permissions issue.

What do most service providers like SiteGround do? Do they just change ownership of everything to be the user running apache, then give all sftp users the same UID?

Is there any way around just changing ownership to apache.apache, adding the ssh/sftp user to the apache group, and setting everything sgid?

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 30806
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by Per Yngve Berg » Sun Jan 06, 2019 12:07 am

viewtopic.php?f=714&t=793531 Please.

What do you have as PHP to Webserver inerface?

It should be fcgi, not Apachehandler.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by Webdongle » Sun Jan 06, 2019 12:22 am

If you are running Fedora on your home computer see https://docs.joomla.org/Installing_Joom ... bian_Linux

xampp is probably the best stack to use because if you use ftp to create the folders (and copy files) on localhost ... then you will have no Ownership issues (even if xampp uses Apachehandler as interface). If you use a different stack then you will need to CHOWN the folders.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sun Jan 06, 2019 10:32 pm

Per Yngve Berg wrote:
Sun Jan 06, 2019 12:07 am
viewtopic.php?f=714&t=793531 Please.

What do you have as PHP to Webserver inerface?

It should be fcgi, not Apachehandler.
Yes, I'm using fcgi. Here is my fcgid.conf config:

Code: Select all

AddHandler fcgid-script fcg fcgi fpl
FcgidIPCDir /run/mod_fcgid
FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
FcgidMaxRequestLen 1073741824
FcgidOutputBufferSize 1073741824
FcgidMaxRequestsPerProcess 500
FcgidMaxProcesses 300
FcgidFixPathinfo 1
FcgidIdleScanInterval 15
FcgidBusyTimeout 280
FcgidBusyScanInterval 30
FcgidErrorScanInterval 3
FcgidZombieScanInterval 3
FcgidMinProcessesPerClass  0
FcgidIdleTimeout 6000
FcgidProcessLifeTime 6000
FcgidConnectTimeout 6000
FcgidIOTimeout 6000
Forum Post Assistant (v1.4.6 (BabyK)) : 6th January 2019 wrote:
Problem Description :: wrote:Permissions and access
Last PHP Error(s) Reported :: wrote:</style>
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.6-Stable (Amani) 13-March-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (660) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 30 | CacheHandler: file | CachePlatformPrefix: true | FTP Layer: false | Proxy: false | LiveSite: N/A | Session lifetime: 30 | Session handler: database | Shared sessions: true | SSL: 2 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.8.6: Yes | Database Supports J! 3.8.6: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 4.19.8-200.fc28.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 132.29 GiB |

PHP Configuration :: Version: 7.2.13 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: -1 | Log Errors To: /var/log/php-fpm/www-error.log | Last Known Error: 06th January 2019 22:29:05. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 750M | Max. POST Size: 750M | Max. Input Time: 5000 | Max. Execution Time: 0 | Memory Limit: 4G

Database Configuration :: Version: 5.5.5-10.2.18-MariaDB-log (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 13670.57 MiB | #of Tables:  279
Detailed Environment :: wrote:PHP Extensions :: Core (7.2.13) | date (7.2.13) | libxml (7.2.13) | openssl (7.2.13) | pcre (7.2.13) | zlib (7.2.13) | filter (7.2.13) | hash (1.0) | Reflection (7.2.13) | SPL (7.2.13) | session (7.2.13) | standard (7.2.13) | cgi-fcgi () | bcmath (7.2.13) | bz2 (7.2.13) | calendar (7.2.13) | ctype (7.2.13) | curl (7.2.13) | dom (20031129) | mbstring (7.2.13) | fileinfo (1.0.5) | ftp (7.2.13) | gd (7.2.13) | gettext (7.2.13) | gmp (7.2.13) | iconv (7.2.13) | intl (1.1.0) | json (1.6.0) | exif (7.2.13) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | PDO (7.2.13) | Phar (2.0.2) | posix (7.2.13) | recode (7.2.13) | shmop (7.2.13) | SimpleXML (7.2.13) | sockets (7.2.13) | sqlite3 (7.2.13) | sysvmsg (7.2.13) | sysvsem (7.2.13) | sysvshm (7.2.13) | tidy (7.2.13) | tokenizer (7.2.13) | xml (7.2.13) | xmlwriter (7.2.13) | xsl (7.2.13) | mysqli (7.2.13) | pdo_mysql (7.2.13) | pdo_sqlite (7.2.13) | wddx (7.2.13) | xmlreader (7.2.13) | zip (1.15.4) | Zend OPcache (7.2.13) | Zend Engine (3.2.0) |
Potential Missing Extensions ::
Disabled Functions :: show_source | system | shell_exec | passthru | exec | popen | proc_open |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (775) | components/ (775) | modules/ (775) | plugins/ (775) | language/ (775) | templates/ (775) | cache/ (775) | logs/ (---) | tmp/ (775) | administrator/components/ (775) | administrator/modules/ (775) | administrator/language/ (775) | administrator/templates/ (775) | administrator/logs/ (775) |

Elevated Permissions (First 10) :: administrator/ (775) | administrator/cache/ (775) | administrator/help/ (775) | administrator/help/en-GB/ (775) | administrator/includes/ (775) | administrator/logs/ (775) | administrator/manifests/ (775) | administrator/manifests/packages/ (775) | administrator/manifests/packages/cjlib/ (775) | administrator/manifests/packages/kunena/ (775) |
Database Information :: wrote:Database statistics :: Uptime: 283239 | Threads: 17 | Questions: 4524882 | Slow queries: 21 | Opens: 9883 | Flush tables: 1 | Open tables: 256 | Queries per second avg: 15.975 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party:: Link (1.0) 1 | Core Class suffix (1.0) 1 | Core Created (1.0) 1 | Core Created by (1.0) 1 | Text (1.0) 1 | Core Detail Image (1.0) 1 | Core Trashed (1.0) 1 | Core Comments (1.0) 1 | Core Categories (1.0) 1 | Date Time (1.0) 1 | Core Author (1.0) 1 | Core Access (1.0) 1 | Checkboxes (1.0) 1 | Core Id (1.0) 1 | Core Language (1.0) 1 | Multiple Select (1.0) 1 | Core Total votes (1.0) 1 | Core Published (1.0) 1 | Core Rating (1.0) 1 | Core Gallery (1.0) 1 | Captcha (1.0) 1 | Core Modified by (1.0) 1 | Core Publish down (1.0) 1 | Core Featured (1.0) 1 | Core Created by alias (1.0) 1 | Core Tags (1.0) 1 | Core Approved (1.0) 1 | Core Alias (1.0) 1 | Core Approved time (1.0) 1 | Textarea (1.0) 1 | Core Approved by (1.0) 1 | Dropdown List (1.0) 1 | Core Intro Image (1.0) 1 | Radio (1.0) 1 | Free Text (1.0) 1 | Core Description (1.0) 1 | Core Publish up (1.0) 1 | Core Hits (1.0) 1 | Core Modified (1.0) 1 | Core Title (1.0) 1 | Default BS2 (1.1.3) 1 | kunena_tmpl_crypsis (5.0.14) 1 | kunena_tmpl_crypsisb3 (5.0.14) 1 |

Modules :: SITE ::
Core :: mod_finder (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_category (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_stats (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_login (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_search (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_feed (3.0.0) 1 |
3rd Party:: Date Added (1.1.1) 1 | SCLogin (8.0.0) 1 | Most Commented (1.1.1) 1 | MOD_CREATIVECONTACTFORM_NAME (4.5.0) 1 | King Content - Articles (1.1.9) 0 | Community Polls - Random Poll (4.7.0) 1 | SCSocial Find Us (8.0.0) 1 | AcyMailing Module (3.7.0) 1 | Grids (1.1.1) 1 | AcySMS : Subscription Module ({__VERSION__}) 1 | SP Tab (2.0) 1 | SCSocial Stream (8.0.0) 1 | SCSocial Widget (8.0.0) 1 | Community Polls Module (4.7.0) 1 | King Content - Search (1.1.3) 1 | Visforms (3.15.3) 1 | JFBC Social Share (8.0.0) 1 | Community Polls Categories (4.7.0) 1 | Latest/Most CompojoomComment (6.0.4) 1 | Grid GK5 (1.2.2) 1 | SP Poll (2.0) 1 | Recently Hit (1.1.1) 1 | Most Popular (1.1.1) 1 | Tabs GK5 (1.7.4) 1 | AcySMS : Send SMS module ({__VERSION__}) 1 | DCD-GoogleCode-Prettify (1.0.0) 1 | JSitemap module (4.5.2) 1 |

Modules :: ADMIN ::
Core :: mod_popular (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_version (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_status (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_login (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_title (3.0.0) 1 | mod_feed (3.0.0) 1 |
3rd Party:: SpeedCache Module (2.5.1) 1 | JSitemap Quickicons (4.5.2) 1 |

Plugins :: SITE ::
Core :: plg_system_remember (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_search_categories (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 0 | plg_content_finder (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 0 | plg_quickicon_extensionupdate (3.0.0) 0 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.1) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 |
3rd Party:: Helix3 - Ajax (2.5.2) 1 | plg_system_kunena (5.0.14) 1 | AcySMS Tag : Content Manager ({__VERSION__}) 1 | AcyMailing : (auto)Subscribe d (5.10.4) 1 | System - Helix3 Framework (2.5.2) 1 | AcySMS : User Creation feature ({__VERSION__}) 1 | System - JFBCSystem (8.0.0) 1 | AcySMS : Double optin verifica ({__VERSION__}) 1 | AcySMS : Double optin verifica ({__VERSION__}) 1 | AcySMS : MijoShop order update ({__VERSION__}) 1 | System - obGrabber (2.5) 1 | Creative Contact Form (4.5.0) 0 | plg_system_ossystem (1.3.0) 1 | plg_system_regularlabs (18.3.17810) 1 | plg_system_matware (1.0.0) 0 | System - KeyCAPTCHA (5.0.10) 0 | Redshop Product - CComment (6.0.4) 0 | AcySMS : VirtueMart order upda ({__VERSION__}) 1 | AcyMailing JCE integration (5.10.4) 1 | BaForms - System (1.7.0) 1 | PLG_SYSTEM_AKEEBAUPDATECHECK (1.1) 0 | PLG_SYSTEM_BACKUPONUPDATE (3.7) 0 | PLG_SYSTEM_ADMINTOOLS (5.2.0) 1 | manage.myJoomla.com Secure Plu (n/a) 1 | PLG_SYSTEM_JCH_OPTIMIZE (5.2.8) 0 | plg_system_jsasyncdefer (1.2.0) 1 | PLG_SEOFLI (3.3.4) 1 | PLG_SYS_SCRIPTSDOWN (3.0.8) 1 | PLG_SYSTEM_CEDPRETTIFY (3.0.1) 0 | SpeedCache (2.5.1) 1 | SpeedCache Last (2.5.1) 1 | PLG_SYS_ADMINEXILE (3.16.3) 1 | plg_system_simplehtmlminifier (3.0) 1 | PLG_SYS_BYEBYEGENERATOR (1.12) 1 | PLG_SYSTEM_ATOOLSJUPDATECHECK (1.0) 0 | PLG_SYSTEM_AKGEOIP (2.0.0) 0 | PLG_SYS_EV_EASYMODAL (1.0.9) 0 | PLG_SYSTEM_AKEEBAACTIONLOG (1.0) 0 | System - JSitemap utilities (4.5.2) 1 | RSSReader (2.5) 1 | corejoomla - socials (1.0.0) 0 | DOCman - CComment Plugin (6.0.4) 0 | Adsmanager - CComment (6.0.4) 0 | plg_kunena_kunena (5.0.14) 1 | plg_kunena_community (5.0.14) 0 | plg_kunena_alphauserpoints (5.0.14) 0 | plg_kunena_easysocial (5.0.14) 0 | PLG_KUNENA_EASYPROFILE (5.0.14) 0 | plg_kunena_gravatar (5.0.14) 0 | plg_kunena_joomla (5.0.14) 1 | plg_kunena_finder (5.0.14) 0 | plg_kunena_uddeim (5.0.14) 0 | plg_kunena_comprofiler (5.0.14) 0 | plg_kunena_altauserpoints (5.0.14) 0 | CComment - AlphaUserPoints int (6.0.4) 1 | CComment - JomSocial features (6.0.4) 0 | PLG_OSMAP_JOOMLA (4.2.18) 1 | Visforms - Visforms (1.1.0) 0 | plg_visforms_spambotcheck (3.4.4) 0 | Hikashop - CComment (6.0.4) 0 | AcySMS : HikaShop order action ({__VERSION__}) 1 | User - JFBConnect Social Integ (8.0.0) 1 | plg_user_oneloginsaml (1.5.0) 0 | AcyMailing table of contents g (1.0.0) 1 | AcySMS : AcyMailing Subscripti ({__VERSION__}) 1 | AcyMailing Tag : Manage the Su (5.10.4) 1 | AcyMailing : share on social n (1.0.0) 1 | AcyMailing Template Class Repl (5.10.4) 1 | AcyMailing Tag : Website links (3.7.0) 1 | AcyMailing Tag : Joomla User I (5.10.4) 1 | AcyMailing Manage text (1.0.0) 1 | AcyMailing : Statistics Plugin (3.7.0) 1 | AcyMailing Tag : Subscriber in (5.10.4) 1 | AcyMailing Tag : Date / Time (5.10.4) 1 | AcyMailing Tag : content inser (3.7.0) 1 | AcyMailing : trigger Joomla Co (3.7.0) 1 | Search - CComment (6.0.4) 0 | Search - Community Polls (4.7.0) 0 | Content (2.3) 1 | PLG_REDITEM_CCOMMENT (1.0) 0 | Social Profiles - Kunena (8.0.1) 0 | Social Profiles - Custom DB (8.0.0) 0 | Social Profiles - Joomla (8.0.0) 0 | Community - CComment (6.0.4) 0 | CComment Walls (6.0.4) 0 | Community Polls - Polls (4.7.0) 0 | plg_editors_tinymce (4.5.8) 1 | plg_editors_codemirror (5.34.0) 1 | AcyMailing Editor (5.10.4) 1 | Content - JFBCContent (8.0.0) 1 | PLG_LIKEBTN_NAME (1.4) 1 | System - Zoo CComment (6.0.4) 0 | Content - Polls (4.7.0) 0 | Content - CComment (6.0.4) 1 | JEvents - CComment (6.0.4) 0 | SpeedCache Content (2.5.1) 1 | Content - JSitemap Pingomatic (4.5.2) 1 | Joomgallery - CComment (6.0.4) 0 | DPCalendar - CComment (6.0.4) 0 | HWDMediaShare - Comments (CCom (6.0.4) 1 | Authentication - JFBConnect So (8.0.0) 1 | plg_quickicon_kunena (5.0.14) 1 | plg_quickicon_akeebabackup (1.0) 1 | Original Source (1.0) 1 | Cut introtext (2.2) 1 | Keywords Filter (2.2) 1 | Alias (2.2) 1 | Duplicate (2.1) 1 | Change Time (3.1.8) 1 | Get Images (2.2) 1 | Strip Tags (2.2) 1 | Get Fulltext (2.8) 1 | Combine (1.0) 1 | DJCatalog2 - CComment (6.0.4) 0 | AcySMS : VirtueMart User ({__VERSION__}) 0 | AcySMS : Joomla Groups User ({__VERSION__}) 1 | AcySMS Tag : Joomla User Infor ({__VERSION__}) 1 | AcySMS : Date feature ({__VERSION__}) 1 | AcySMS : Frequency SMS ({__VERSION__}) 1 | AcySMS Tag : RsEvent ({__VERSION__}) 1 | AcySMS Tag : JEvents ({__VERSION__}) 1 | AcySMS : MijoShop integration ({__VERSION__}) 1 | AcySMS : HikaShop integration ({__VERSION__}) 1 | AcySMS Tag : AcyMailing User I ({__VERSION__}) 1 | AcySMS : Birthday feature ({__VERSION__}) 1 | AcySMS : RedShop integration p ({__VERSION__}) 1 | AcySMS : Manage text ({__VERSION__}) 0 | AcySMS Tag : JomSocial User In (1.0.0) 1 | AcySMS Tag : EasySocial User I ({__VERSION__}) 1 | AcySMS : Akeeba Subscriptions ({__VERSION__}) 0 | AcySMS : Automatics Actions ba ({__VERSION__}) 1 | AcySMS Tag : EasyProfile User ({__VERSION__}) 1 | AcySMS Tag : Seblod User Infor ({__VERSION__}) 1 | AcySMS Tag : Community Builder ({__VERSION__}) 1 | AcySMS Tag : Event Booking ({__VERSION__}) 1 | AcySMS : General plugin for Ac ({__VERSION__}) 1 | AcySMS Tag : Joomla Content ({__VERSION__}) 1 | AcySMS : Freestyle Support plu ({__VERSION__}) 1 | AcySMS Tag : AcySMS User Infor ({__VERSION__}) 1 | AcySMS Tag : K2 Content ({__VERSION__}) 1 | Button - Polls (4.7.0) 0 | plg_editors-xtd_visformfields (3.5.0) 0 | BaForms - Shortcode (1.6.4) 1 | CedPrettify button | Galaxiis (3.0.1) 0 | Ninjamonials - CComment (6.0.4) 0 | Smart Search - CComment (6.0.4) 0 | plg_finder_kunena (5.0.14) 1 | plg_finder_polls (4.7.0) 0 | plg_installer_cjupdater (1.0) 0 | Installer - Install from Galax (1.0.0) 1 | SpeedCache (2.5.1) 1 | Joomunited updater (2.5.1) 0 | K2 Plugin - CComment (6.0.4) 0 | Open Graph - Content (8.0.0) 0 | Open Graph - Custom Object (8.0.0) 0 |
Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) 1 | beez3 (3.1.0) 1 | shaper_helix3 (2.5.2) 1 | shaperhelix_child (2.5.2) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |
Last edited by toivo on Mon Jan 07, 2019 3:41 pm, edited 2 times in total.
Reason: mod note: disabled smilies in post Options for readability

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sun Jan 06, 2019 10:34 pm

Webdongle wrote:
Sun Jan 06, 2019 12:22 am
If you are running Fedora on your home computer see https://docs.joomla.org/Installing_Joom ... bian_Linux
This is not a home computer, but a server in a datacenter.

These instructions would suffer from the same problem with upgrades because it changes ownership of many joomla files to root, preventing the apache user from being able to overwrite them at upgrade time.
xampp is probably the best stack to use because if you use ftp to create the folders (and copy files) on localhost ... then you will have no Ownership issues (even if xampp uses Apachehandler as interface). If you use a different stack then you will need to CHOWN the folders.
Too much of a black box for me.

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sun Jan 06, 2019 10:52 pm

Here is the remaining contents that wouldn't fit in the first post.
Components :: ADMIN ::
Core :: com_modules (3.0.0) 1 | com_media (3.0.0) 1 | com_messages (3.0.0) 1 | com_users (3.0.0) 1 | com_associations (3.7.0) 1 | com_redirect (3.0.0) 1 | com_finder (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_ajax (3.2.0) 1 | com_content (3.0.0) 1 | com_checkin (3.0.0) 1 | com_categories (3.0.0) 1 | com_installer (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_menus (3.0.0) 1 | com_cache (3.0.0) 1 | com_languages (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_tags (3.1.0) 1 | com_search (3.0.0) 1 | com_templates (3.0.0) 1 | com_admin (3.0.0) 1 | com_login (3.0.0) 1 | com_banners (3.0.0) 1 | com_fields (3.7.0) 1 | com_cpanel (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_config (3.0.0) 1 | com_plugins (3.0.0) 1 |
3rd Party:: COM_COMMENT (6.0.4) 1 | COM_JUCONTENT (1.1.4) 0 | COM_CINSTALLER (1.0.1) 1 | visforms (3.11.6) 1 | jUpgradePro (3.6.1) 1 | SP Polls (2.0) 0 | System - obGrabber (2.5) 1 | RSSReader (2.5) 1 | Original Source (1.0) 1 | Cut introtext (2.2) 1 | Keywords Filter (2.2) 1 | Alias (2.2) 1 | Duplicate (2.1) 1 | Change Time (3.1.8) 1 | Static Value (1.0) 1 | HTML Parser (2.2) 1 | Get Images (2.2) 1 | Strip Tags (2.2) 1 | Get Fulltext (2.8) 1 | Combine (1.0) 1 | Content (2.3) 1 | obGrabber (4.3) 1 | AcyMailing (5.10.4) 1 | COM_JFBCONNECT (8.0.2) 1 | CJLib (2.8.0) 1 | BaForms (1.7.2) 1 | COM_SPNEWSLETTERS (3.2.0) 1 | Dictionary (2.1.8) 1 | Community Polls (4.7.0) 1 | AcySMS : Manage text ({__VERSION__}) 0 | AcySMS : Joomla Groups User ({__VERSION__}) 1 | AcySMS Tag : JomSocial User In (1.0.0) 1 | AcySMS : HikaShop order action ({__VERSION__}) 1 | AcySMS : Frequency SMS ({__VERSION__}) 1 | AcySMS Tag : Community Builder ({__VERSION__}) 1 | AcySMS Tag : Event Booking ({__VERSION__}) 1 | AcySMS Tag : Joomla User Infor ({__VERSION__}) 1 | AcySMS Tag : AcyMailing User I ({__VERSION__}) 1 | AcySMS Tag : Seblod User Infor ({__VERSION__}) 1 | AcySMS : General plugin for Ac ({__VERSION__}) 1 | AcySMS : Automatics Actions ba ({__VERSION__}) 1 | AcySMS Tag : Content Manager ({__VERSION__}) 1 | AcySMS : RedShop integration p ({__VERSION__}) 1 | AcySMS : MijoShop integration ({__VERSION__}) 1 | AcySMS : Akeeba Subscriptions ({__VERSION__}) 0 | AcySMS : User Creation feature ({__VERSION__}) 1 | AcySMS : VirtueMart User ({__VERSION__}) 0 | AcySMS Tag : RsEvent ({__VERSION__}) 1 | AcySMS Tag : Joomla Content ({__VERSION__}) 1 | AcySMS Tag : EasyProfile User ({__VERSION__}) 1 | AcySMS : Subscription Module ({__VERSION__}) 1 | AcySMS : Double optin verifica ({__VERSION__}) 1 | AcySMS : Double optin verifica ({__VERSION__}) 1 | AcySMS : AcyMailing Subscripti ({__VERSION__}) 1 | AcySMS Tag : K2 Content ({__VERSION__}) 1 | AcySMS : Date feature ({__VERSION__}) 1 | AcySMS : Freestyle Support plu ({__VERSION__}) 1 | AcySMS Tag : JEvents ({__VERSION__}) 1 | AcySMS Tag : EasySocial User I ({__VERSION__}) 1 | AcySMS : Birthday feature ({__VERSION__}) 1 | AcySMS Tag : AcySMS User Infor ({__VERSION__}) 1 | AcySMS : VirtueMart order upda ({__VERSION__}) 1 | AcySMS : HikaShop integration ({__VERSION__}) 1 | AcySMS : MijoShop order update ({__VERSION__}) 1 | AcySMS : Send SMS module ({__VERSION__}) 1 | AcySMS (3.5.1) 1 | COM_OSMAP (4.2.18) 1 | COM_RSPAGEBUILDER (1.0.21) 1 | COM_CREATIVECONTACTFORM (4.5.0) 1 | com_kunena (5.0.14) 1 | plg_kunena_comprofiler (5.0.14) 0 | PLG_KUNENA_EASYPROFILE (5.0.14) 0 | plg_kunena_gravatar (5.0.14) 0 | plg_kunena_kunena (5.0.14) 1 | plg_kunena_easysocial (5.0.14) 0 | plg_finder_kunena (5.0.14) 1 | plg_kunena_uddeim (5.0.14) 0 | plg_kunena_finder (5.0.14) 0 | PLG_KUNENA_EASYBLOG (0.0.1) 1 | plg_kunena_alphauserpoints (5.0.14) 0 | plg_kunena_community (5.0.14) 0 | plg_kunena_joomla (5.0.14) 1 | plg_kunena_altauserpoints (5.0.14) 0 | Akeeba (6.3.2) 1 | Admintools (5.2.0) 1 | JCH Optimize (5.2.8) 1 | SpeedCache (2.5.1) 1 | COM_EV_EASYMODAL (2.0.1) 1 | JMap (4.5.2) 1 |
Last edited by toivo on Mon Jan 07, 2019 3:41 pm, edited 1 time in total.
Reason: mod note: disabled smilies in post Options for readability

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by leolam » Mon Jan 07, 2019 3:25 pm

First of all all permissions on a fcgi-box should be 755 for folders and 644 for files.

This is way too big: Max. Upload Size: 750M | Max. POST Size: 750M reduce both to 100M
The problem is that the apache server is running as user apache
that is not possible if your run fcgi since than the owner is always the 'user' You can Chown by going in the terminal to cd /home/username

Code: Select all

chown -R peterpan public_html
Change the ownership of public_html folder recursively to 'peterpan'

Also chmod your permissions from the command line cd /home/username/public_html

Code: Select all

find -type d -exec chmod 755 {} \;
find -type f -exec chmod 644 {} \;
This sets the default permissions for 'username' the files (644) and directories (755).

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Mon Jan 07, 2019 6:00 pm

leolam wrote:
Mon Jan 07, 2019 3:25 pm
First of all all permissions on a fcgi-box should be 755 for folders and 644 for files.

This is way too big: Max. Upload Size: 750M | Max. POST Size: 750M reduce both to 100M
The problem is that the apache server is running as user apache
that is not possible if your run fcgi since than the owner is always the 'user' You can Chown by going in the terminal to cd /home/username

Code: Select all

chown -R peterpan public_html
Change the ownership of public_html folder recursively to 'peterpan'

Also chmod your permissions from the command line cd /home/username/public_html

Code: Select all

find -type d -exec chmod 755 {} \;
find -type f -exec chmod 644 {} \;
This sets the default permissions for 'username' the files (644) and directories (755).
I'm not sure you fully understand the problem, or it's possible I'm not understanding you. You haven't addressed the real problem.

Where does fcgid control which user is used for ownership of files?

As I mentioned initially, the reason the files were 664 was because there are two groups of developers - those making changes to the site through joomla itself and those making changes via sftp.

With your configuration, both the web server and sftp user must be 'peterpan' since the group does not have write access.

Do you not understand the implications of having the web server have write access to all files in the document root should there be some type of privilege escalation compromise? Or don't people care about that anymore?

Unless directories and files like administrator/components/com_akeeba/backup are owned by the same user running the web server, it will fail with a message that it's unable to write its backup files.

I've also indicated that I set SuexecUserGroup to be the sftp user ("peterpan" your example), but it still creates new files with 644 permissions, preventing the sftp user from being able to write.

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Fri Jan 11, 2019 8:20 pm

No one has any further ideas on how best to provide access to remote sftp users while also enabling apache to operate normally, including updating joomla components?

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by leolam » Sat Jan 12, 2019 3:43 am

Do you not understand the implications of having the web server have write access to all files in the document root should there be some type of privilege escalation compromise? Or don't people care about that anymore?
shows YOU have not a bit understanding about permissions and yes I do have this understanding. So start learning proper Unix and read about permissions as outlined here https://docs.joomla.org/How_do_UNIX_fil ... ns_work%3F and guess where you end up? Right: files=644 and folders=755 Why think that all your permissions are in "RED" in the FPA? Right...because they are wrong.

You do not update Joomla and extensions through ftp or sftp. You use the update mechanism as provided in Joomla. If that does not work you need to disable all ftp settings in your global configuration to start with. On a fcgi box you do not enable ftp. (being enabled is an assumption and I could be wrong)

and yes I can see that you have ownership permissions and that your stuff is owned by Apache and not the user and therefor the CHOWN command is needed. Ohh did I mention that '644' permissions does not influence any ftp/sftp/ssh user to write? Yes I forgot: No 644 does not influence write permissions (444 does). If they cannot write on 644 it is caused by ownership hohoho

But feel free to ignore my advise. I am pretty much a newbie on these forums and work only for a little while with Joomla .....Oh forgot to tell you that we host in our hosting division 7,000 Joomla users but of course we have no idea about permissions ......

I am out of here since I have no idea where I talk about. I better resign from the Joomla Bug Squad and from the Joomla CMS Release Team me think maybe

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sat Jan 12, 2019 3:03 pm

leolam wrote:
Sat Jan 12, 2019 3:43 am
Do you not understand the implications of having the web server have write access to all files in the document root should there be some type of privilege escalation compromise? Or don't people care about that anymore?
shows YOU have not a bit understanding about permissions and yes I do have this understanding. So start learning proper Unix and read about permissions as outlined here https://docs.joomla.org/How_do_UNIX_fil ... ns_work%3F and guess where you end up? Right: files=644 and folders=755 Why think that all your permissions are in "RED" in the FPA? Right...because they are wrong.

You do not update Joomla and extensions through ftp or sftp. You use the update mechanism as provided in Joomla. If that does not work you need to disable all ftp settings in your global configuration to start with. On a fcgi box you do not enable ftp. (being enabled is an assumption and I could be wrong)
You are not understanding the problem. How about you stop being the smart guy and assuming everyone else is stupid? Read my comments again. Don't assume everyone is a newbie. Don't assume I don't know how basic unix permissions work. I never said joomla and extensions were updated via sftp or ftp.

I get that you're the self-imposed big guy around here, but you look ignorant when you don't (or can't understand) answer the questions. You should be ashamed for talking to people in that way, especially as a so-called expert in a leadership position.

The problem is that files with 644 permissions can't be changed by anyone other than the user for which the web server is running. In my case, it's "apache". I don't want apache to have ownership of all files for two reasons:
  • During a privilege escalation attack, an apache vulnerability could lead to the website being defaced or modified
  • Any remote access through ftp or sftp must also maintain the same UID as apache
If you need a primer on what a privilege escalation attack is, haven't ever heard of shellshock or any of the countless other vulnerabilities that lead to compromise, you can read about one here:
https://security.stackexchange.com/ques ... ll-to-root

This means that it must also be the same user that's use to run the web server as is used to transfer files to the document root.

That's what I thought SuExecUserGroup was used for, but apparently not. The subject of my post was regarding SuExecUserGroup, but you haven't once, since this was posted more than a week ago, addressed my actual question.

Can you explain why, when using SuExecUserGroup, files are still created and modified to "apache" ownership instead of the user specified:

Code: Select all

SuExecUserGroup ftpuser ftpuser
If you can't answer civilly, please don't answer at all. If I'm wrong, explain the proper way. If you just make everything run as the apache user and don't otherwise bother about security, then explain that.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by Webdongle » Sat Jan 12, 2019 4:07 pm

The fpa reports 'PHP API: fpm-fcgi' but from what you are saying it is acting like the Apache handler? Please take note of what Leo says because he is often correct in these matters.

You could try enabling the ftp layer in Joomla's Global config?
Please read the full documentation.
https://docs.joomla.org/Why_can%27t_you ... rom_ianmac
At the heart of the issue is file ownership. There are generally two main server users that end up owning your files - the FTP user, and the Apache/PHP user. Obviously, when you upload files using FTP, the FTP user ends up owning them. Therefore, if you give a file 755 permissions, then ONLY the FTP user can write to that file.

If you install Joomla! without the FTP layer, then the files it creates are owned by the Apache/PHP user. If you give the file 755 permissions, then ONLY the Apache/PHP user can write to that file....

So there are generally two approaches to take:

upload all the files via cpanel. This will generally result in all of the files being owned by the Apache/PHP user. Ensure that the root directory that all of your Joomla! files are installed in is writable, so that the installer can create the configuration.php file. Then, install Joomla! WITHOUT the FTP layer.
upload all the files using FTP. This will generally result in all of the files being owned by the FTP user. Make sure that your Joomla! root directory is writable, again, so that the installer can create the configuration.php file. Then install Joomla! WITH the FTP layer.
But cgi (is considered by many to be more secure) https://docs.joomla.org/Should_PHP_run_ ... _module%3F
CGI Mode on the other hand, is more secure because the server now manages and controls access to the binaries. PHP can now run as your own user rather than the generic Apache user. This means you can put your database passwords in a file readable only by you and your php scripts can still access it! The "Group" and "Other" permissions (refer Where can you learn more about file permissions?) can now be more restrictive. CGI mode is also claimed to be more flexible in many respects as you should now not see, with phpSuExec (refer Permissions under phpSuExec) issues with file ownership being taken over by the Apache user, therefore you should no longer have problems under FTP when trying to access or modify files that have been uploaded through a PHP interface, such as Joomla! upload options.
Bottom line
IF
you are having ownership issues .AND. need to ask
THEN
you probably don't understand server setup as well as you think you do .AND. you either need to employ someone who understands better than you .OR. use a managed server
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by leolam » Sat Jan 12, 2019 4:27 pm

ggossamer wrote:
Sat Jan 12, 2019 3:03 pm
How about you stop being the smart guy and assuming everyone else is stupid?
I never tell anybody that they are stupid in a public forum though in PMB I could tell you a different story. Once again you do not read properly the messages I posted and you have an ownership issue as explained...

Now you have been so kind in your reply so I am out now for sure. Are you always that sad and rude when requesting support? Do not answer..... you won't get a further reply from me

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sat Jan 12, 2019 4:33 pm

:)
Last edited by ggossamer on Sat Jan 12, 2019 4:42 pm, edited 1 time in total.

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sat Jan 12, 2019 4:36 pm

accidentally hit "quote" instead of edit
Last edited by ggossamer on Sat Jan 12, 2019 4:42 pm, edited 1 time in total.

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sat Jan 12, 2019 4:37 pm

Webdongle wrote:
Sat Jan 12, 2019 4:07 pm
The fpa reports 'PHP API: fpm-fcgi' but from what you are saying it is acting like the Apache handler? Please take note of what Leo says because he is often correct in these matters.
Yes, I have not used fpm-fcgi before, but that was never discussed in his comments.
Bottom line
IF
you are having ownership issues .AND. need to ask
THEN
you probably don't understand server setup as well as you think you do .AND. you either need to employ someone who understands better than you .OR. use a managed server
Bottom line is that I'm posting in the joomla forum because this is a joomla issue, and I'm not a joomla expert.

Had any of you who read my initial post would have read it more closely, you would have seen this is exactly the information I was asking for in the first place.

Wasn't joomla supposed to be a friendly, inviting community? Or one that boosts people's ego's into thinking they're the big man in town?

Who's the expert if I posted everything he requested and he was unable to fix the problem or point me to the proper documentation?

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by leolam » Sun Jan 13, 2019 5:50 am

Ok I am going to give it one more try.
1. It is a server ownership and permission issue and not a Joomla issue as you have mentioned above
2. You have misconfigured your server.
3. I strongly advise to upgrade cPanel to latest version which runs EasyApache4. EasyApache 3 is discontinued/deprecated as of 31st Decenber 2018
cPanel & WHM no longer develops EasyApache 3 and only releases security updates for it. We will deprecate EasyApache 3 on December 31, 2018. After that date, we will no longer update EasyApache 3. In cPanel & WHM version 78, we will remove support for EasyApache 3. For more information, read our cPanel Long-Term Support documentation. If you do not upgrade to EasyApache 4, you cannot upgrade to cPanel & WHM version 78. We strongly recommend that you upgrade to EasyApache 4. For more information, read our EasyApache 4 documentation.
(https://documentation.cpanel.net/display/EA/EasyApache)
4. In EA4 you have no longer the opportunity to screw up your suExec and fcgi
5. Change the PHP-handler to suPHP and disable Apache suEXEC which only pertains to PHP that CGI handles (https://documentation.cpanel.net/displa ... achesuEXEC)see also https://documentation.cpanel.net/displa ... suphpsuPHP . PHP Suexec is totally different from Apache suexec. Disable the latter to create a stable environment Also review https://documentation.cpanel.net/displa ... achesuEXEC (I do not invent the correct permissions)
6. If you change to suPHP which is more secure and runs pretty nice with PHP FPM enabled (Available in EasyApache4) The user will always (!) own the files and folders and the permissions will be 644 for files and 755 for folders (This is a suPHP directive and fully supported by cPanel). With suPHP, the PHP scripts are going to run always as the user so the "nobody" group ownership is not set.

so shortcut: Update to latest cPanel. Change handler to suPHP (fcgi uses the full memory at all times). Run PHP FPM, Chown and CHMOD as given above to correct current state and all files and folders will always be created as user with the correct permissions

Cheers and yes I am smart indeed. Thanks for the compliment

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sun Jan 13, 2019 4:31 pm

Leo, first, I appreciate your help. However, you make several assumptions. Let me explain.
leolam wrote:
Sun Jan 13, 2019 5:50 am
Ok I am going to give it one more try.
1. It is a server ownership and permission issue and not a Joomla issue as you have mentioned above
As I wrote in my first post, I understood the correct permissions were 644 for files and 755 for directories. The report I submitted was an oversight during testing only.
2. You have misconfigured your server.
Yes, I agree. I also explained it's been some time since I've configured apache for such functions, and much has changed since. I don't understand the relationship between all the different modules - phpSuExec, fcgid, php-fpm, etc.
3. I strongly advise to upgrade cPanel
I'm not using cpanel. I never said anything about cpanel. I am hosting this on our own systems. I am a Linux admin, but haven't configured something that required this type of control since apache-2.0 or perhaps even 1.3. Obviously many of the methods have changed. I explained much of this in my initial post.
5. Change the PHP-handler to suPHP and disable Apache suEXEC which only pertains to PHP that CGI handles
PHP Suexec is totally different from Apache suexec. Disable the latter to create a stable environment Also review https://documentation.cpanel.net/displa ... achesuEXEC
Does this mean removing php7_module from being loaded?
Do you have a cpanel virtual host config you could paste here?
so shortcut: Update to latest cPanel. Change handler to suPHP (fcgi uses the full memory at all times). Run PHP FPM, Chown and CHMOD as given above to correct current state and all files and folders will always be created as user with the correct permissions
  • My "Server API" is "FPM/FastCGI". Is that correct? I've included my fcgid config below.
  • Do I need to implement the Joomla FTP layer? Is that how joomla performs updates, like extension updates?
  • How does Joomla have the ability to write to its own directories, like cache, and other directories when updating extensions?
Where do I actually configure the username(s) that should be permitted to write to the document root?

Do you have other resources (links, documentation, etc) that explain how to configure phpsuexec specifically as it relates to joomla?

Here is my current fcgid.conf. This is still testing only. Some of these values were configured high because our finder tables are >6GB and was otherwise timing out or having memory issues.

Code: Select all

AddHandler fcgid-script fcg fcgi fpl php
FcgidIPCDir /run/mod_fcgid
FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
FcgidMaxRequestLen 1073741824
FcgidOutputBufferSize 1073741824
FcgidMaxRequestsPerProcess 500
FcgidMaxProcesses 300
FcgidFixPathinfo 1
FcgidIdleScanInterval 15
FcgidBusyTimeout 280
FcgidBusyScanInterval 30
FcgidErrorScanInterval 3
FcgidZombieScanInterval 3
FcgidMinProcessesPerClass  0
FcgidIdleTimeout 6000
FcgidProcessLifeTime 6000
FcgidConnectTimeout 6000
FcgidIOTimeout 6000
Here is my php-fpm config:

Code: Select all

[www]
user = apache
group = apache
listen = /run/php-fpm/www.sock
listen.acl_users = apache,nginx
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
access.log = /var/log/php-fpm/$pool.access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
Here is my current apache config. What more am I missing? ("example" in place of my real hostname)

Code: Select all

Listen 64.1.15.4:80
Listen 64.1.15.4:443
ExtendedStatus on
<VirtualHost 64.1.15.4:80>
  ServerName webstage.example.com
  ServerAdmin [email protected]
  Redirect / https://webstage.example.com/
</VirtualHost>

<VirtualHost 64.1.15.4:443>
  ServerName webstage.example.com
  ServerAdmin [email protected]
  DocumentRoot /var/www/webstage.example.com-443/html/
  ScriptAlias /cgi-bin/ /var/www/webstage.example.com-443/cgi-bin/
  ErrorLog /var/www/webstage.example.com-443/logs/error_log
  CustomLog /var/www/webstage.example.com-443/logs/access_log timing
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %T/%D %I/%O/%B %v" timing
  HostnameLookups off
  KeepAliveTimeout 600
  Timeout 600
  ProxyTimeout 600
  <IfModule dir_module.c>
      DirectoryIndex index.html index.php index.pl
      Options +Indexes
      IndexOptions FancyIndexing NameWidth=*
  </IfModule>
  LogLevel notice
  SecStatusEngine On
  <Directory "/var/www/webstage.example.com-443/html">
    <RequireAny>
        Require all granted
    </RequireAny>
    AllowOverride all
    AddHandler fcgid-script .php
    Options +FollowSymLinks +Includes +ExecCGI
    DirectoryIndex index.html index.php
    <FilesMatch \.php$>
      SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost/"
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/example/php-fcgi-starter .php
  </Directory>
  <Directory "/var/www/webstage.example.com-443/cgi-bin">
    Options +ExecCGI
  </Directory>
  SSLEngine on
  Header always set Strict-Transport-Security "max-age=15768000"
  SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
  SSLCertificateFile /etc/letsencrypt/cert.pem
  SSLCertificateChainFile /etc/letsencrypt/fullchain.pem
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
   <IfModule mod_mime.c>
	AddType application/x-javascript .js
	AddType text/css .css
   </IfModule>
   <IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
	<IfModule mod_setenvif.c>
		BrowserMatch ^Mozilla/4 gzip-only-text/html
		BrowserMatch ^Mozilla/4.0[678] no-gzip
		BrowserMatch bMSIE !no-gzip !gzip-only-text/html
	</IfModule>
    </IfModule>
    Header append Vary User-Agent env=!dont-vary
</VirtualHost>
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
Cheers and yes I am smart indeed. Thanks for the compliment
Don't ASSume. And read what I wrote more closely.

ggossamer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Wed Sep 29, 2010 4:50 pm

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by ggossamer » Sun Jan 13, 2019 8:43 pm

I've done some more research and believe I have a better idea of what's going on. The existing documentation was obviously written by technical people without a full understanding of what they're doing or why it needs to be done, because the explanations are very poor. Much of the documentation is extremely outdated and conflicts with other general information on the same topic.

Would someone confirm for me that these are all PHP process managers, to enable apache to run CGI scripts using PHP:
  • mod_php
  • mod_fcgid
  • mod_proxy_fcgi
  • mod_fastcgi
  • suEXEC
  • phpsuExec
  • mod_suexec
  • SuExecUserGroup (part of mod_suexec)
  • suPHP (seems to be outdated now; php-fpm appears much better)
  • php-fpm (works with mod_fcgid?)
php-fpm seems to be the best option for me because this is a busy site. It does appear there can only be one FTP user under this system, however, so each virtual host could conceivably be modified by the FTP user. This isn't a hosting environment, so it's okay.

Changing the user and group in my /etc/php-fpm.d/www.conf to the FTP user from 'apache' appears to have fixed the problem. Would someone help me confirm that is correct? This is my new www.conf:

Code: Select all

# cat www.conf |grep -vE '^$|^;|^ $'
[www]
user = ftpuser
group = ftpuser
listen = /run/php-fpm/www.sock
listen.acl_users = apache,nginx
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
access.log = /var/log/php-fpm/$pool.access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
This article seems to indicate it's possible to use php-fpm OR mod_fcgid.
https://www.virtualmin.com/node/52625

Here's a good article describing how to use php-fpm with mod_proxy_fcgi, but doesn't discuss ownership:
https://wiki.apache.org/httpd/PHP-FPM

This apache doc says mod_fcgid is an alternative to mod_cgi or mod_cgid, but it's also apparently an alternative to the others I've listed above as well.
https://httpd.apache.org/mod_fcgid/

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 30806
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Apache SuexecUserGroup and group permissions on fedora with joomla

Post by Per Yngve Berg » Mon Jan 14, 2019 8:16 am

A separate user for each site is possible with php-fpm. Make an instance for each site on different port i.e 9000 for the first, 9001 for the second etc.


Locked

Return to “Administration Joomla! 3.x”