Announcement

Collapse
No announcement yet.

Prevent ASL (Atomic secure linux) from Crashing PHP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent ASL (Atomic secure linux) from Crashing PHP

    Hello,

    On our pre production server we have been running automatic yum updates and last night ASL ( http://www.atomicorp.com/products/asl.html ) updated it self and decided it was a good idea to chmod apache log directory to 700 (originaly 755). This resulted in all fcgid PHP scripts not working any more.

    I contacted their support about this issue and was told it was a known bug but was given the impression that it was a low priority bug (that they have known about for at least 9 months).

    Fr om what I have understood they don think it as important as it only affects hosts running mod_fcgid.

    I asked them for a solution, and the solution they gave me was to change the chmod back whenever I noticed that all PHP scripts on the server had stopped working.

    I see three solutions to get around this problem :

    1) Always run yum update manually and check that PHP is running after each update
    2) Add a chmod command to cPanels post update script
    3) Move the location wh ere fgcid creates its sockets

    The first solution is a pain because important security updates won always be run in a timely manner.
    The second solution seems a bit of an overkill, but should prevent PHP scripts going down for a long period
    The third solution is my prefered one but Im not sure what this would imply exactly and I presume that its not supported at all by cPanel.

    I would be interested to find out if you have run into this problem, if so what work around you have applied to get around this bug, and would be greatfull for any reccomendations (I don think I will get any from their support).

    Im posting this issue on CloudLinuxs forums because on ASLs forums no support has been given and because Ive found that CloudLinux has always provided excelent support even with problems that are not directly to do with their software.

  • #2
    Richard,

    I would recommend going with #3, and putting fcgid.sock into /var/run/httpd (just make sure directory exists). I dont think cPanel will have an issue with that.

    The directive to do that will be either:
    FcgidIPCDir
    or
    SocketPath (i think that is the one apache users).

    On cPanel server it is usually defined as logs/fcgid.sock, change that to /var/run/httpd/fcgid.sock
    Also, not sure if it is defined in httpd.conf -- but if it does -- dont forget to run apache config distiller.

    Comment


    • #3
      Thanks Igor

      I created /var/run/httpd and added to my pre virtualhost include

      FcgidIPCDir /var/run/httpd/fcgid.sock

      I then ran chmod 700 /usr/local/apache/logs/

      And PHP are still running !

      This will prevent issues with ASL setting the chmod of /usr/local/apache/logs to 700, but shoud it be 755 or 700 ?

      Would apache or PHP ever need to be able to read or execute inside /usr/local/apache/logs once the sockets are moved elsewhere ?

      To I need to add this location to cagefs or run

      cagefsctl --update

      ?

      Comment


      • #4
        It should be 700 for logs directory (no point for anyone else even to be able to chdir or read it)
        PHP should never need to read log files. It wasn PHP itself, but mod_fcgid (running as apache) that needed to chdir to that directory.

        And it takes effect before cagefs, so nothing needs to be done on CageFS side.

        Comment


        • #5
          Thanks Igor,

          When I put this directory in 700 I get the following errors :

          [Sat Dec 15 12:45:01 2012] [error] [client 127.0.0.1] (13)Permission denied: Cannot open SSLSessionCache DBM file `/usr/local/apache/logs/ssl_scache for status retrival

          Ive put the chmod back to 755 in the mean time.

          Comment


          • #6
            I never had to deal with SSLSessionCache, but you can probably move it to the same location as fcgid.sock

            Comment


            • #7
              I tried to change SSLSessionCache, I redistilled the httpd.conf but the setting was lost when I rebuilt the httpd conf file to see if the distill worked.

              I guess cPanel doesnt was us changing locations like this.

              I see multiple values that would need to be changed if apache logs are set to 700 :

              RewriteLock /usr/local/apache/logs/rewrite_lock
              SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
              SSLMutex file:/usr/local/apache/logs/ssl_mutex

              Also Im thinking about moving fcgid sockets to another location as /var is on hard disks and /usr is on SSDs so I guess its better if the sockets are created faster then slower…

              Comment


              • #8
                As ASL say that they are working on a fix to this issue and that the upgrades wont be very often Ive decided to do this :

                I edited /scripts/postupcp

                I added the following line :

                /bin/chmod -v go+rx /usr/local/apache/logs #Fix ASL chmod issue

                I believe chmod doesnt touch the file if the chmods are correct.

                This is not a permanent solution as if ASL changes the chmods sites will go down until /scripts/postupcp is run.
                /scripts/postupcp is only run once the cPanel update has completed, this will take between 2 and 20 minutes depending on the updates performed (just timed an /scripts/upcp without any updates : 2minutes).

                Comment

                Working...
                X