[Cherokee] Execute as User/Group Issue
Matt Austin
made the switch - turned off apache, and started cherokee on port 80
for the first time :D.
All seems to be going well, but my various PHP/Django/Mono information
sources don't seem to be being run as the user/group I have specified
in the configuration.
I am using Cherokee 0.99.17 on Ubuntu 8.04 LTS with the Cherokee PPA.
Example PHP Interpreter
Connection: /tmp/mysite.co.uk-php.socket
Interpreter: php-cgi -b /tmp/mysite.co.uk-php.socket -d memory_limit=32M
Execute as User: mysite.co.uk
Execute as Group: mysite.co.uk
When I look at my processes, www-data is running php-cgi?
(The user/group are set up on my system correctly, I was using suexec
on apache).
Any ideas?
Cheers,
--
Matt Austin
http://mattaustin.me.uk/
_______________________________________________
Cherokee mailing list
Cher...@lists.octality.com
http://lists.octality.com/listinfo/cherokee
Piotr Waskiewicz
> All seems to be going well, but my various PHP/Django/Mono information
> sources don't seem to be being run as the user/group I have specified
> in the configuration.
> I am using Cherokee 0.99.17 on Ubuntu 8.04 LTS with the Cherokee PPA.
>
> Example PHP Interpreter
> Connection: /tmp/mysite.co.uk-php.socket
> Interpreter: php-cgi -b /tmp/mysite.co.uk-php.socket -d memory_limit=32M
> Execute as User: mysite.co.uk
> Execute as Group: mysite.co.uk
>
> When I look at my processes, www-data is running php-cgi?
> (The user/group are set up on my system correctly, I was using suexec
> on apache).
I have exactly the same behavior. Only when i run cherokee as root,
fcgi processes change to desired users. Otherwise im getting error
from spawner.c: WARNING: Couldn't unlock spawning semaphore.. and fcgi
is running as www-data.
You can try running cherokee from command line to see if you have same error.
My system is Ubuntu Ubuntu 9.04 Server 64bit.
Frank Groeneveld
entering a password if your program is not running as root. Therefor,
this behaviours seems only logical to me.
Regards,
Frank Groeneveld
2009/6/21 Piotr Waskiewicz <was...@gmail.com>:
Piotr Waskiewicz
Groeneveld<frankgr...@gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.
Apparently it is possible. Check this thread:
http://groups.google.com/group/cherokee-http/browse_thread/thread/94682458c685f8e2/eabd5c4e869ed772
Except its not working for some ppl for unknown reason. :(
Jacob Peddicord
Groeneveld<frankgr...@gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.
It used to work. The www-data worker processes would talk to the main
(root) process and it would spawn the interpreters. However, they are
all still launching as www-data. My guess is that the shared memory is
failing and Cherokee is falling back to the old style of execution.
Only problem is that I haven't seen any errors come up from this.
--
Jacob Peddicord
http://jacob.peddicord.net/
Piotr Waskiewicz
> It used to work. The www-data worker processes would talk to the main
> (root) process and it would spawn the interpreters. However, they are
> all still launching as www-data. My guess is that the shared memory is
> failing and Cherokee is falling back to the old style of execution.
> Only problem is that I haven't seen any errors come up from this.
It fails exactly in this spot:
spawner.c line 242:
/* Wake up the spawning thread
*/
ret = sem_signal (cherokee_spawn_sem);
if (unlikely (ret != ret_ok)) {
PRINT_ERROR_S ("WARNING: Couldn't unlock spawning semaphore..\n");
}
Function sem_signal not returning ret_ok, but i have no idea why and
how to fix it. :(
I can try to debug it, if someone tell me what i need to do.
Jacob Peddicord
> It fails exactly in this spot:
>
> spawner.c line 242:
> /* Wake up the spawning thread
> */
> ret = sem_signal (cherokee_spawn_sem);
> if (unlikely (ret != ret_ok)) {
> PRINT_ERROR_S ("WARNING: Couldn't unlock spawning semaphore..\n");
> }
>
>
> Function sem_signal not returning ret_ok, but i have no idea why and
> how to fix it. :(
It could have to do with changes in 3304, switching from POSIX to SysV
semaphores:
http://svn.cherokee-project.com/changeset/3304
That's the only big change I noticed with the spawning code.
--
Jacob Peddicord
http://jacob.peddicord.net/
Matt Austin
Groeneveld<frankgr...@gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.
But if this had to be the case, then static files would be served by a
Cherokee process running as root - which seems to me to be quite
dangerous (potentially serving up any file on your machine).
I'm not a programmer, but if the other guys can identify the issue and
have www-data communicate to the main cherokee process to spawn the
interpreter as a given user, that would be the best solution.
Cheers,
--
Matt Austin
ma...@mattaustin.me.uk
Stefan de Konink
> On Sun, Jun 21, 2009 at 10:23 PM, Frank
> Groeneveld<frankgr...@gmail.com> wrote:
>> It's not possible to run something as a different user without
>> entering a password if your program is not running as root. Therefor,
>> this behaviours seems only logical to me.
>
> But if this had to be the case, then static files would be served by a
> Cherokee process running as root - which seems to me to be quite
> dangerous (potentially serving up any file on your machine).
Any file that is in your documentroot... your normal user will face the
same problem for every world readable file :) [so chroot is an option]
> I'm not a programmer, but if the other guys can identify the issue and
> have www-data communicate to the main cherokee process to spawn the
> interpreter as a given user, that would be the best solution.
That would still require the main process /cherokee/ to run as root,
while /cherokee-worker/ is www-data.
Stefan
Alvaro Lopez Ortega
> On Sun, Jun 21, 2009 at 10:23 AM, Frank
> Groeneveld<frankgr...@gmail.com> wrote:
>> It's not possible to run something as a different user without
>> entering a password if your program is not running as root. Therefor,
>> this behaviours seems only logical to me.
>
> It used to work. The www-data worker processes would talk to the main
> (root) process and it would spawn the interpreters. However, they are
> all still launching as www-data. My guess is that the shared memory is
> failing and Cherokee is falling back to the old style of execution.
> Only problem is that I haven't seen any errors come up from this.
This issue is fixed now:
http://svn.cherokee-project.com/changeset/3366
The patch will be shipped in Cherokee 0.99.18 within the next few hours.
Thank you guys for finding and reporting the problem!
--
Octality
http://www.octality.com/
Piotr Waskiewicz
>
> This issue is fixed now:
>
> http://svn.cherokee-project.com/changeset/3366
>
> The patch will be shipped in Cherokee 0.99.18 within the next few hours.
> Thank you guys for finding and reporting the problem!
That did it!
root@orion:~# soft/cherokee/sbin/cherokee
Cherokee Web Server 0.99.18 (Jun 22 2009): Listening on ports ALL:80,
ALL:443(TLS), with TLS support via libssl, IPv6 enabled, using epoll, 1024
fds system limit, max. 505 connections, caching I/O, 10 threads, 50
connections per thread, standard scheduling policy
PID 20599: launched '/bin/sh -c exec /usr/bin/php-cgi -b
/tmp/cherokee-php-ovh.socket' with uid=1001, gid=1001
root@orion:/home# pstree -uA 20409
cherokee-+-cherokee-worker(www-data)---9*[{cherokee-worker}]
|-php-cgi(ovh)---3*[php-cgi]
`-{cherokee}
Thanks a bunch! Its working perfect now, its amazing piece of software. :)