Mailing List Archive: Cherokee: users

Execute as User/Group Issue

Index | Next | Previous | View Threaded

mail at mattaustin

Jun 21, 2009, 12:47 AM

Post #1 of 11 (468 views)
Permalink

Execute as User/Group Issue

This weekend I finished configuring all my many virtual hosts, and
made the switch - turned off apache, and started cherokee on port 80
for the first time :D.

All seems to be going well, but my various PHP/Django/Mono information
sources don't seem to be being run as the user/group I have specified
in the configuration.
I am using Cherokee 0.99.17 on Ubuntu 8.04 LTS with the Cherokee PPA.

Example PHP Interpreter
Connection: /tmp/mysite.co.uk-php.socket
Interpreter: php-cgi -b /tmp/mysite.co.uk-php.socket -d memory_limit=32M
Execute as User: mysite.co.uk
Execute as Group: mysite.co.uk

When I look at my processes, www-data is running php-cgi?
(The user/group are set up on my system correctly, I was using suexec
on apache).

Any ideas?

Cheers,

--
Matt Austin
http://mattaustin.me.uk/
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

waspoza at gmail

Jun 21, 2009, 1:26 AM

Post #2 of 11 (456 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On Sun, Jun 21, 2009 at 9:47 AM, Matt Austin <mail[at]mattaustin.me.uk> wrote:
> All seems to be going well, but my various PHP/Django/Mono information
> sources don't seem to be being run as the user/group I have specified
> in the configuration.
> I am using Cherokee 0.99.17 on Ubuntu 8.04 LTS with the Cherokee PPA.
>
> Example PHP Interpreter
> Connection: /tmp/mysite.co.uk-php.socket
> Interpreter: php-cgi -b /tmp/mysite.co.uk-php.socket -d memory_limit=32M
> Execute as User: mysite.co.uk
> Execute as Group: mysite.co.uk
>
> When I look at my processes, www-data is running php-cgi?
> (The user/group are set up on my system correctly, I was using suexec
> on apache).

I have exactly the same behavior. Only when i run cherokee as root,
fcgi processes change to desired users. Otherwise im getting error
from spawner.c: WARNING: Couldn't unlock spawning semaphore.. and fcgi
is running as www-data.

You can try running cherokee from command line to see if you have same error.

My system is Ubuntu Ubuntu 9.04 Server 64bit.
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

frankgroeneveld at gmail

Jun 21, 2009, 7:23 AM

Post #3 of 11 (453 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

It's not possible to run something as a different user without
entering a password if your program is not running as root. Therefor,
this behaviours seems only logical to me.

Regards,

Frank Groeneveld

2009/6/21 Piotr Waskiewicz <waspoza[at]gmail.com>:
> On Sun, Jun 21, 2009 at 9:47 AM, Matt Austin <mail[at]mattaustin.me.uk> wrote:
>> All seems to be going well, but my various PHP/Django/Mono information
>> sources don't seem to be being run as the user/group I have specified
>> in the configuration.
>> I am using Cherokee 0.99.17 on Ubuntu 8.04 LTS with the Cherokee PPA.
>>
>> Example PHP Interpreter
>> Connection: /tmp/mysite.co.uk-php.socket
>> Interpreter: php-cgi -b /tmp/mysite.co.uk-php.socket -d memory_limit=32M
>> Execute as User: mysite.co.uk
>> Execute as Group: mysite.co.uk
>>
>> When I look at my processes, www-data is running php-cgi?
>> (The user/group are set up on my system correctly, I was using suexec
>> on apache).
>
> I have exactly the same behavior. Only when i run cherokee as root,
> fcgi processes change to desired users. Otherwise im getting error
> from spawner.c: WARNING: Couldn't unlock spawning semaphore.. and fcgi
> is running as www-data.
>
> You can try running cherokee from command line to see if you have same error.
>
> My system is Ubuntu Ubuntu 9.04 Server 64bit.
> _______________________________________________
> Cherokee mailing list
> Cherokee[at]lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

waspoza at gmail

Jun 21, 2009, 10:03 AM

Post #4 of 11 (453 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On Sun, Jun 21, 2009 at 4:23 PM, Frank
Groeneveld<frankgroeneveld[at]gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.

Apparently it is possible. Check this thread:
http://groups.google.com/group/cherokee-http/browse_thread/thread/94682458c685f8e2/eabd5c4e869ed772

Except its not working for some ppl for unknown reason. :(
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

jpeddicord at ubuntu

Jun 21, 2009, 10:10 AM

Post #5 of 11 (453 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On Sun, Jun 21, 2009 at 10:23 AM, Frank
Groeneveld<frankgroeneveld[at]gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.

It used to work. The www-data worker processes would talk to the main
(root) process and it would spawn the interpreters. However, they are
all still launching as www-data. My guess is that the shared memory is
failing and Cherokee is falling back to the old style of execution.
Only problem is that I haven't seen any errors come up from this.

--
Jacob Peddicord
http://jacob.peddicord.net/
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

waspoza at gmail

Jun 21, 2009, 10:32 AM

Post #6 of 11 (453 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On Sun, Jun 21, 2009 at 7:10 PM, Jacob Peddicord<jpeddicord[at]ubuntu.com> wrote:
> It used to work. The www-data worker processes would talk to the main
> (root) process and it would spawn the interpreters. However, they are
> all still launching as www-data. My guess is that the shared memory is
> failing and Cherokee is falling back to the old style of execution.
> Only problem is that I haven't seen any errors come up from this.

It fails exactly in this spot:

spawner.c line 242:
/* Wake up the spawning thread
*/
ret = sem_signal (cherokee_spawn_sem);
if (unlikely (ret != ret_ok)) {
PRINT_ERROR_S ("WARNING: Couldn't unlock spawning semaphore..\n");
}

Function sem_signal not returning ret_ok, but i have no idea why and
how to fix it. :(

I can try to debug it, if someone tell me what i need to do.
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

jpeddicord at ubuntu

Jun 21, 2009, 10:52 AM

Post #7 of 11 (453 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On Sun, Jun 21, 2009 at 1:32 PM, Piotr Waskiewicz<waspoza[at]gmail.com> wrote:
> It fails exactly in this spot:
>
> spawner.c line 242:
> /* Wake up the spawning thread
> �*/
> ret = sem_signal (cherokee_spawn_sem);
> if (unlikely (ret != ret_ok)) {
> � �PRINT_ERROR_S ("WARNING: Couldn't unlock spawning semaphore..\n");
> }
>
>
> Function sem_signal not returning ret_ok, but i have no idea why and
> how to fix it. :(

It could have to do with changes in 3304, switching from POSIX to SysV
semaphores:
http://svn.cherokee-project.com/changeset/3304

That's the only big change I noticed with the spawning code.

--
Jacob Peddicord
http://jacob.peddicord.net/
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

mail at mattaustin

Jun 21, 2009, 7:03 PM

Post #8 of 11 (452 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On Sun, Jun 21, 2009 at 10:23 PM, Frank
Groeneveld<frankgroeneveld[at]gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.

But if this had to be the case, then static files would be served by a
Cherokee process running as root - which seems to me to be quite
dangerous (potentially serving up any file on your machine).

I'm not a programmer, but if the other guys can identify the issue and
have www-data communicate to the main cherokee process to spawn the
interpreter as a given user, that would be the best solution.

Cheers,

--
Matt Austin
mail[at]mattaustin.me.uk
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

stefan at konink

Jun 22, 2009, 12:00 AM

Post #9 of 11 (452 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

Matt Austin wrote:
> On Sun, Jun 21, 2009 at 10:23 PM, Frank
> Groeneveld<frankgroeneveld[at]gmail.com> wrote:
>> It's not possible to run something as a different user without
>> entering a password if your program is not running as root. Therefor,
>> this behaviours seems only logical to me.
>
> But if this had to be the case, then static files would be served by a
> Cherokee process running as root - which seems to me to be quite
> dangerous (potentially serving up any file on your machine).

Any file that is in your documentroot... your normal user will face the
same problem for every world readable file :) [so chroot is an option]

> I'm not a programmer, but if the other guys can identify the issue and
> have www-data communicate to the main cherokee process to spawn the
> interpreter as a given user, that would be the best solution.

That would still require the main process /cherokee/ to run as root,
while /cherokee-worker/ is www-data.

Stefan
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

alvaro at alobbs

Jun 22, 2009, 2:49 AM

Post #10 of 11 (451 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On 21-jun-09, at 19:10, Jacob Peddicord wrote:
> On Sun, Jun 21, 2009 at 10:23 AM, Frank
> Groeneveld<frankgroeneveld[at]gmail.com> wrote:
>> It's not possible to run something as a different user without
>> entering a password if your program is not running as root. Therefor,
>> this behaviours seems only logical to me.
>
> It used to work. The www-data worker processes would talk to the main
> (root) process and it would spawn the interpreters. However, they are
> all still launching as www-data. My guess is that the shared memory is
> failing and Cherokee is falling back to the old style of execution.
> Only problem is that I haven't seen any errors come up from this.

This issue is fixed now:

http://svn.cherokee-project.com/changeset/3366

The patch will be shipped in Cherokee 0.99.18 within the next few hours.
Thank you guys for finding and reporting the problem!

--
Octality
http://www.octality.com/

_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

waspoza at gmail

Jun 22, 2009, 7:28 AM

Post #11 of 11 (451 views)
Permalink

Re: Execute as User/Group Issue [In reply to]

On Mon, Jun 22, 2009 at 11:49 AM, Alvaro Lopez Ortega<alvaro[at]alobbs.com> wrote:
>
> This issue is fixed now:
>
> � http://svn.cherokee-project.com/changeset/3366
>
> The patch will be shipped in Cherokee 0.99.18 within the next few hours.
> Thank you guys for finding and reporting the problem!

That did it!

root[at]orion:~# soft/cherokee/sbin/cherokee
Cherokee Web Server 0.99.18 (Jun 22 2009): Listening on ports ALL:80,
ALL:443(TLS), with TLS support via libssl, IPv6 enabled, using epoll, 1024
fds system limit, max. 505 connections, caching I/O, 10 threads, 50
connections per thread, standard scheduling policy
PID 20599: launched '/bin/sh -c exec /usr/bin/php-cgi -b
/tmp/cherokee-php-ovh.socket' with uid=1001, gid=1001

root[at]orion:/home# pstree -uA 20409
cherokee-+-cherokee-worker(www-data)---9*[{cherokee-worker}]
|-php-cgi(ovh)---3*[php-cgi]
`-{cherokee}

Thanks a bunch! Its working perfect now, its amazing piece of software. :)
_______________________________________________
Cherokee mailing list
Cherokee[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com