Mailing List Archive: Cherokee: users

fastcgi as non root owner fails

Index | Next | Previous | View Threaded

rarvind at users

Sep 25, 2009, 10:23 AM

Post #1 of 10 (854 views)
Permalink

fastcgi as non root owner fails

Hello,

if i set the server permissions as a non root user , the worker process
gets spawned as that user, but fastcgi fails to work. nothing get
appended to the log.

for PHP, the server just exits.
for Mono, it shows a huge ton of error.

Running it as root, makes all the processes (fastcgi etc) run as a root
owned process. Is this not insecure ?
can somebody please help ?

thanks
Arvind
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

jorge.sarmiento at gmail

Sep 25, 2009, 8:21 PM

Post #2 of 10 (819 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

Try this: check the permissions on:

/tmp/cherokee-php.socket

"chown" it to the user used to run cherokee.

Jorge S.

On Fri, Sep 25, 2009 at 12:23 PM, Arvind Rangan <
rarvind [at] users> wrote:

> Hello,
>
>
> if i set the server permissions as a non root user , the worker process
> gets spawned as that user, but fastcgi fails to work. nothing get
> appended to the log.
>
> for PHP, the server just exits.
> for Mono, it shows a huge ton of error.
>
> Running it as root, makes all the processes (fastcgi etc) run as a root
> owned process. Is this not insecure ?
> can somebody please help ?
>
> thanks
> Arvind
> _______________________________________________
> Cherokee mailing list
> Cherokee [at] lists
> http://lists.octality.com/listinfo/cherokee
>

stefan at konink

Sep 25, 2009, 8:41 PM

Post #3 of 10 (821 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Jorge Sarmiento schreef:
> Try this: check the permissions on:
>
> /tmp/cherokee-php.socket
>
> "chown" it to the user used to run cherokee.

or the easy 'just delete'.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkq9jWMACgkQYH1+F2Rqwn0mlQCePn8/z8FM+gOd5CBuTxTl4Sij
QskAn3L6bMggeGK1kXz3eA4L68sGIR/J
=Cnzs
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

rarvind at users

Sep 26, 2009, 8:42 AM

Post #4 of 10 (821 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

Hello,

> From: Jorge Sarmiento <jorge.sarmiento [at] gmail>
> To: Arvind Rangan <rarvind [at] users>
> Cc: cherokee [at] lists
> Sent: Friday, 25 September, 2009 9:21:52 PM
> Subject: Re: [Cherokee] fastcgi as non root owner fails

> Try this: check the permissions on:

> /tmp/cherokee-php.socket

> "chown" it to the user used to run cherokee.

I dont see any such file other than
cherokee-admin-scgi.socket=

thanks
Arvind
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

jorge.sarmiento at gmail

Sep 26, 2009, 5:49 PM

Post #5 of 10 (815 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

If php-fcgi is using sockets there should be a cherokee-php.socket somewhere
- the default cherokee configuration for php is locating the socket in
/tmp/.

Check your handlers in cherokee-admin for the location of this file.

Jorge S.

On Sat, Sep 26, 2009 at 10:42 AM, Arvind Rangan <
rarvind [at] users> wrote:

> Hello,
>
>
> > From: Jorge Sarmiento <jorge.sarmiento [at] gmail>
> > To: Arvind Rangan <rarvind [at] users>
> > Cc: cherokee [at] lists
> > Sent: Friday, 25 September, 2009 9:21:52 PM
> > Subject: Re: [Cherokee] fastcgi as non root owner fails
>
> > Try this: check the permissions on:
>
> > /tmp/cherokee-php.socket
>
> > "chown" it to the user used to run cherokee.
>
> I dont see any such file other than
> cherokee-admin-scgi.socket=
>
>
>
> thanks
> Arvind
> _______________________________________________
> Cherokee mailing list
> Cherokee [at] lists
> http://lists.octality.com/listinfo/cherokee
>

rarvind at users

Sep 26, 2009, 6:24 PM

Post #6 of 10 (808 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

>If php-fcgi is using sockets there should be a cherokee-php.socket
somewhere - the default cherokee configuration for php is locating the
socket in /tmp/.
>Check your handlers in cherokee-admin for the location of this file.
>Jorge S.

I am not using sockets. I am using, a host:port method.

I run mono and php through fastcgi on my server. and as of now,
everything runs as root. i cannot find another way to circumvent this
problem.

Arvind
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

jorge.sarmiento at gmail

Sep 27, 2009, 12:15 AM

Post #7 of 10 (806 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

# whereis php-cgi
# ls -la /usr/bin/php-cgi (or location shown by previous command)
should be something like:
-rwxr-xr-x

if not, change permissions.

Jorge S.

On Sat, Sep 26, 2009 at 8:24 PM, Arvind Rangan <
rarvind [at] users> wrote:

> >If php-fcgi is using sockets there should be a cherokee-php.socket
> somewhere - the default cherokee configuration for php is locating the
> socket in /tmp/.
> >Check your handlers in cherokee-admin for the location of this file.
> >Jorge S.
>
>
> I am not using sockets. I am using, a host:port method.
>
> I run mono and php through fastcgi on my server. and as of now,
> everything runs as root. i cannot find another way to circumvent this
> problem.
>
>
> Arvind
> _______________________________________________
> Cherokee mailing list
> Cherokee [at] lists
> http://lists.octality.com/listinfo/cherokee
>

rarvind at users

Sep 27, 2009, 8:42 AM

Post #8 of 10 (807 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

Hello,

># whereis php-cgi
># ls -la /usr/bin/php-cgi (or location shown by previous command)
>should be something like:
>-rwxr-xr-x
>if not, change permissions.

>Jorge S.

on my desktop system ( archlinux) this is what i see
$ ls -l /usr/bin/php-cgi
-rwxr-xr-x 1 root root 6548492 2009-09-16 05:57 /usr/bin/php-cgi

and on the bsd box which is my server is see this
$ ls -l /usr/local/bin/php-cgi
-rwxr-xr-x 1 root wheel 2407164 Sep 24 16:40 /usr/local/bin/php-cgi

Also to just let you know, that mono also suffers the same fate. If the
worker process does not run as root, nothing works.

thanks
Arvind

_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

stefan at konink

Sep 27, 2009, 8:43 AM

Post #9 of 10 (808 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Arvind Rangan schreef:
> Also to just let you know, that mono also suffers the same fate. If the
> worker process does not run as root, nothing works.

Just remove the temporary socket so it can be recreated by the user you
start as.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkq/iBkACgkQYH1+F2Rqwn2LGACfYKm8mIpoHL0O3GevW+Ply52j
inEAn2LOG9uXZcBOhDtA4WVVhNngkSq6
=EOFi
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

rarvind at users

Sep 27, 2009, 8:59 AM

Post #10 of 10 (806 views)
Permalink

Re: fastcgi as non root owner fails [In reply to]

hello,

> Just remove the temporary socket so it can be recreated by the user you
> start as.

Currently my cherokee is running on the bsd server and these are the
socket files in my /tmp

srwxr-xr-x 1 root wheel 0 Sep 25 14:10 cherokee-admin-scgi.socket=
srwxrwxrwx 1 mysql wheel 0 Sep 26 09:46 mysql.sock=

Just now i tried using www as my user for worker process and the moment
i opened a php file the server exited. i could see it on the console.
here is the output.
sudo /usr/local/etc/rc.d/cherokee start
Starting cherokee.
[arvind [at] shiv /var/run]$ Cherokee Web Server 0.99.24 (Sep 24 2009):
Listening on port ALL:80, TLS
disabled, IPv6 disabled, using poll, 3520 fds system limit, max. 1753
connections, caching I/O, 5 threads, 350 connections per thread, standard
scheduling policy
PID 71666: launched '/bin/sh -c exec /usr/local/bin/php-cgi -b
localhost:47990' with uid=80, gid=80, env=custom
PID 71667: launched '/bin/sh -c exec /usr/local/bin/php-cgi -b
localhost:47990' with uid=80, gid=80, env=custom
Server is exiting..
PID 71667: exited re=0
PID 71666: exited re=0
PID 71665: exited re=0

Arvind
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads