[Cherokee] Execute as User/Group Issue

9 views
Skip to first unread message

Matt Austin

unread,
Jun 21, 2009, 3:47:09 AM6/21/09
to cher...@lists.octality.com
This weekend I finished configuring all my many virtual hosts, and
made the switch - turned off apache, and started cherokee on port 80
for the first time :D.

All seems to be going well, but my various PHP/Django/Mono information
sources don't seem to be being run as the user/group I have specified
in the configuration.
I am using Cherokee 0.99.17 on Ubuntu 8.04 LTS with the Cherokee PPA.

Example PHP Interpreter
Connection: /tmp/mysite.co.uk-php.socket
Interpreter: php-cgi -b /tmp/mysite.co.uk-php.socket -d memory_limit=32M
Execute as User: mysite.co.uk
Execute as Group: mysite.co.uk

When I look at my processes, www-data is running php-cgi?
(The user/group are set up on my system correctly, I was using suexec
on apache).

Any ideas?


Cheers,

--
Matt Austin
http://mattaustin.me.uk/
_______________________________________________
Cherokee mailing list
Cher...@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Piotr Waskiewicz

unread,
Jun 21, 2009, 4:26:14 AM6/21/09
to cher...@lists.octality.com
On Sun, Jun 21, 2009 at 9:47 AM, Matt Austin <ma...@mattaustin.me.uk> wrote:
> All seems to be going well, but my various PHP/Django/Mono information
> sources don't seem to be being run as the user/group I have specified
> in the configuration.
> I am using Cherokee 0.99.17 on Ubuntu 8.04 LTS with the Cherokee PPA.
>
> Example PHP Interpreter
> Connection: /tmp/mysite.co.uk-php.socket
> Interpreter: php-cgi -b /tmp/mysite.co.uk-php.socket -d memory_limit=32M
> Execute as User: mysite.co.uk
> Execute as Group: mysite.co.uk
>
> When I look at my processes, www-data is running php-cgi?
> (The user/group are set up on my system correctly, I was using suexec
> on apache).

I have exactly the same behavior. Only when i run cherokee as root,
fcgi processes change to desired users. Otherwise im getting error
from spawner.c: WARNING: Couldn't unlock spawning semaphore.. and fcgi
is running as www-data.

You can try running cherokee from command line to see if you have same error.

My system is Ubuntu Ubuntu 9.04 Server 64bit.

Frank Groeneveld

unread,
Jun 21, 2009, 10:23:38 AM6/21/09
to Piotr Waskiewicz, cher...@lists.octality.com
It's not possible to run something as a different user without
entering a password if your program is not running as root. Therefor,
this behaviours seems only logical to me.

Regards,

Frank Groeneveld

2009/6/21 Piotr Waskiewicz <was...@gmail.com>:

Piotr Waskiewicz

unread,
Jun 21, 2009, 1:03:51 PM6/21/09
to Frank Groeneveld, cher...@lists.octality.com
On Sun, Jun 21, 2009 at 4:23 PM, Frank
Groeneveld<frankgr...@gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.

Apparently it is possible. Check this thread:
http://groups.google.com/group/cherokee-http/browse_thread/thread/94682458c685f8e2/eabd5c4e869ed772

Except its not working for some ppl for unknown reason. :(

Jacob Peddicord

unread,
Jun 21, 2009, 1:10:48 PM6/21/09
to Frank Groeneveld, cher...@lists.octality.com
On Sun, Jun 21, 2009 at 10:23 AM, Frank
Groeneveld<frankgr...@gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.

It used to work. The www-data worker processes would talk to the main
(root) process and it would spawn the interpreters. However, they are
all still launching as www-data. My guess is that the shared memory is
failing and Cherokee is falling back to the old style of execution.
Only problem is that I haven't seen any errors come up from this.

--
Jacob Peddicord
http://jacob.peddicord.net/

Piotr Waskiewicz

unread,
Jun 21, 2009, 1:32:28 PM6/21/09
to cher...@lists.octality.com
On Sun, Jun 21, 2009 at 7:10 PM, Jacob Peddicord<jpedd...@ubuntu.com> wrote:
> It used to work. The www-data worker processes would talk to the main
> (root) process and it would spawn the interpreters. However, they are
> all still launching as www-data. My guess is that the shared memory is
> failing and Cherokee is falling back to the old style of execution.
> Only problem is that I haven't seen any errors come up from this.

It fails exactly in this spot:

spawner.c line 242:
/* Wake up the spawning thread
*/
ret = sem_signal (cherokee_spawn_sem);
if (unlikely (ret != ret_ok)) {
PRINT_ERROR_S ("WARNING: Couldn't unlock spawning semaphore..\n");
}


Function sem_signal not returning ret_ok, but i have no idea why and
how to fix it. :(

I can try to debug it, if someone tell me what i need to do.

Jacob Peddicord

unread,
Jun 21, 2009, 1:52:53 PM6/21/09
to Piotr Waskiewicz, cher...@lists.octality.com
On Sun, Jun 21, 2009 at 1:32 PM, Piotr Waskiewicz<was...@gmail.com> wrote:
> It fails exactly in this spot:
>
> spawner.c line 242:
> /* Wake up the spawning thread
>  */
> ret = sem_signal (cherokee_spawn_sem);
> if (unlikely (ret != ret_ok)) {
>    PRINT_ERROR_S ("WARNING: Couldn't unlock spawning semaphore..\n");
> }
>
>
> Function sem_signal not returning ret_ok, but i have no idea why and
> how to fix it. :(

It could have to do with changes in 3304, switching from POSIX to SysV
semaphores:
http://svn.cherokee-project.com/changeset/3304

That's the only big change I noticed with the spawning code.

--
Jacob Peddicord
http://jacob.peddicord.net/

Matt Austin

unread,
Jun 21, 2009, 10:03:55 PM6/21/09
to Frank Groeneveld, cher...@lists.octality.com
On Sun, Jun 21, 2009 at 10:23 PM, Frank
Groeneveld<frankgr...@gmail.com> wrote:
> It's not possible to run something as a different user without
> entering a password if your program is not running as root. Therefor,
> this behaviours seems only logical to me.

But if this had to be the case, then static files would be served by a
Cherokee process running as root - which seems to me to be quite
dangerous (potentially serving up any file on your machine).

I'm not a programmer, but if the other guys can identify the issue and
have www-data communicate to the main cherokee process to spawn the
interpreter as a given user, that would be the best solution.

Cheers,

--
Matt Austin
ma...@mattaustin.me.uk

Stefan de Konink

unread,
Jun 22, 2009, 3:00:04 AM6/22/09
to Matt Austin, cher...@lists.octality.com
Matt Austin wrote:
> On Sun, Jun 21, 2009 at 10:23 PM, Frank
> Groeneveld<frankgr...@gmail.com> wrote:
>> It's not possible to run something as a different user without
>> entering a password if your program is not running as root. Therefor,
>> this behaviours seems only logical to me.
>
> But if this had to be the case, then static files would be served by a
> Cherokee process running as root - which seems to me to be quite
> dangerous (potentially serving up any file on your machine).

Any file that is in your documentroot... your normal user will face the
same problem for every world readable file :) [so chroot is an option]


> I'm not a programmer, but if the other guys can identify the issue and
> have www-data communicate to the main cherokee process to spawn the
> interpreter as a given user, that would be the best solution.

That would still require the main process /cherokee/ to run as root,
while /cherokee-worker/ is www-data.


Stefan

Alvaro Lopez Ortega

unread,
Jun 22, 2009, 5:49:27 AM6/22/09
to Jacob Peddicord, cher...@lists.octality.com
On 21-jun-09, at 19:10, Jacob Peddicord wrote:
> On Sun, Jun 21, 2009 at 10:23 AM, Frank
> Groeneveld<frankgr...@gmail.com> wrote:
>> It's not possible to run something as a different user without
>> entering a password if your program is not running as root. Therefor,
>> this behaviours seems only logical to me.
>
> It used to work. The www-data worker processes would talk to the main
> (root) process and it would spawn the interpreters. However, they are
> all still launching as www-data. My guess is that the shared memory is
> failing and Cherokee is falling back to the old style of execution.
> Only problem is that I haven't seen any errors come up from this.


This issue is fixed now:

http://svn.cherokee-project.com/changeset/3366

The patch will be shipped in Cherokee 0.99.18 within the next few hours.
Thank you guys for finding and reporting the problem!

--
Octality
http://www.octality.com/

Piotr Waskiewicz

unread,
Jun 22, 2009, 10:28:59 AM6/22/09
to Alvaro Lopez Ortega, cher...@lists.octality.com
On Mon, Jun 22, 2009 at 11:49 AM, Alvaro Lopez Ortega<alv...@alobbs.com> wrote:
>
> This issue is fixed now:
>
>   http://svn.cherokee-project.com/changeset/3366
>
> The patch will be shipped in Cherokee 0.99.18 within the next few hours.
> Thank you guys for finding and reporting the problem!

That did it!

root@orion:~# soft/cherokee/sbin/cherokee
Cherokee Web Server 0.99.18 (Jun 22 2009): Listening on ports ALL:80,
ALL:443(TLS), with TLS support via libssl, IPv6 enabled, using epoll, 1024
fds system limit, max. 505 connections, caching I/O, 10 threads, 50
connections per thread, standard scheduling policy
PID 20599: launched '/bin/sh -c exec /usr/bin/php-cgi -b
/tmp/cherokee-php-ovh.socket' with uid=1001, gid=1001

root@orion:/home# pstree -uA 20409
cherokee-+-cherokee-worker(www-data)---9*[{cherokee-worker}]
|-php-cgi(ovh)---3*[php-cgi]
`-{cherokee}

Thanks a bunch! Its working perfect now, its amazing piece of software. :)

Reply all
Reply to author
Forward
0 new messages