Unable to make suexec work with mod_fastcgi

Question

I successfully managed to make mod_fastcgi work with fpm, which enables me to set the user:group running the scripts via fpm pools definition. However, there is no similar alternative for, say, a python script run through mod_fastcgi, so i'm trying to learn how to use suexec to run whatever script through mod_fastcgi with the user:group i choose.

I'm starting from this working configuration:

#/etc/apache2/sites-available/test1
<VirtualHost *:80>
    ServerName test1.slothcompany.net
    DocumentRoot /var/www/test1

    LogLevel Debug
    ErrorLog /var/www/test1/error.log

    <Directory /var/www/test1/>
        Options Indexes Includes FollowSymLinks ExecCGI
        AllowOverride All
        DirectoryIndex index.php
        AddHandler php5-fastcgi .php
        Action php5-fastcgi /php5.fcgi
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

#/var/www/test1/php5.fcgi
#!/bin/bash
PHPRC="/var/www/test1/php.ini"
PHP_FCGI_CHILDREN=5
export PHPRC
export PHP_FCGI_CHILDREN
exec /usr/bin/php5-cgi

I put a phpInfo() inside /var/www/test1/index.php, which shows the correct php.ini path.

Now, to activate suexec i:

• Installed apache2-suexec: sudo apt-get install apache2-suexec
• Activated mod_suexec: sudo a2enmod suexec
• Changed files' permissions: sudo chown -R michele:michele /var/www/test1
• Added this line to the vhost configuration: SuexecUserGroup michele michele
• Reactivated the site and restarted apache: sudo a2dissite test1 && sudo a2ensite test1 && sudo service apache2 restart

The user:group michele:michele exists in the system. When running test1.slothcompany.net i see the phpInfo() output exactly as before, and echo exec('whoami'); prints www-data instead of michele.

sudo /usr/lib/apache2/suexec -V tells me that the log file should be in /var/log/apache2/suexec.log, but no such file exists. Then, i know that apache should log in the error.log file the activation of the suexec wrapper, as a notice, but in the error.log no such notice is found as well. So, i suspect that for some reason suexec isn't starting at all.

I read here the list of checks suexec does to decide if the call is successfull, but i don't know how to check what the results of these checks are..it says they should be written in the suexec log file, but this file is never created, as it seems.

So, what i'm doing wrong?

Thank you all so much.

Answer 1

I finally managed to make it work, with the help of this post. There were two big issues with my first configuration: the first was that i didn't enable suexec to work with fastcgi (this requires to edit the fastcgi.conf configuration file); the second was that in my first virtual host i wasn't using fastcgi at all! I got this when i realized that the system worked the same after disabling fastcgi.

However, these are the final steps that worked for me (i tried them inside a Debian virtual machine created just for this):

1. Install packages (after adding non-free to /etc/apt/sources.list for libapache2-mod-fastcgi):

   sudo apt-get install apache2 libapache2-mod-fastcgi apache2-suexec php5-cgi
   

2. Add a global fastcgi configuration:

   sudo nano /etc/apache2/conf.d/fastcgi
   
   # /etc/apache2/conf.d/fastcgi
   FastCGIConfig -killInterval 60 -maxClassProcesses 1 -maxProcesses 50 -minProcesses 0 -startDelay 5
   

3. Enable suexec inside fastcgi configuration (remove the # from the FastCgiWrapper line):

   sudo a2dismod fastcgi
   sudo nano /etc/apache2/mods-available/fastcgi.conf
   
   # /etc/apache2/mods-available/fastcgi.conf
   <IfModule mod_fastcgi.c>
       AddHandler fastcgi-script .fcgi
       FastCgiWrapper /usr/lib/apache2/suexec
       FastCgiIpcDir /var/lib/apache2/fastcgi
   </IfModule>
   

4. Enable apache modules:

   sudo a2enmod fastcgi suexec actions
   

5. Create test site files:

   sudo mkdir -p /var/www/vhosts/test
   cd /var/www/vhosts/test
   sudo mkdir cgi-bin etc httpdocs logs
   sudo nano httpdocs/index.php
   
   # /var/www/vhosts/test/httpdocs/index.php
   <?php
   echo exec('whoami');
   phpInfo();
   
   sudo nano cgi-bin/php5.fcgi
   
   # /var/www/vhosts/test/cgi-bin/php5.fcgi
   #!/bin/bash
   export PHPRC=/var/www/vhosts/test/etc
   export PHP_FCGI_CHILDREN=5
   exec /usr/bin/php5-cgi
   
   sudo chmod +x cgi-bin/php5.fcgi
   sudo cp /etc/php5/cgi/php.ini etc/
   sudo chown -R michele:michele .
   

6. Create apache virtual host:

   sudo nano /etc/apache2/sites-available/test
   
   # /etc/apache2/sites-available/test
   <VirtualHost *:80>
       ServerAdmin [email protected]
       ServerName test.slothcompany.net
   
       LogLevel notice
       ErrorLog /var/www/vhosts/test/logs/error.log
       CustomLog /var/www/vhosts/test/logs/access.log combined
   
       ScriptAlias /php5.fcgi /var/www/vhosts/test/cgi-bin/php5.fcgi
       FastCgiServer /var/www/vhosts/test/cgi-bin/php5.fcgi -processes 1 -user michele -group michele -idle-timeout 310 -flush
       SuexecUserGroup michele michele
   
       DocumentRoot /var/www/vhosts/test/httpdocs
       <Directory /var/www/vhosts/test/httpdocs/>
           Options FollowSymLinks ExecCGI
           AllowOverride All
           Action php5.fcgi /php5.fcgi
           AddHandler php5.fcgi .php
           Order allow,deny
           Allow from all
       </Directory>
   </VirtualHost>
   
   sudo a2ensite test
   

7. Restart apache

   sudo service apache2 restart