Re: [BackupPC-users] PackupPC CGI interface and Plesk
Les Mikesell wrote: Does the running httpd retain the apache group? Maybe you need to change the group to psaserv. If you aren't in the right group you can't execute this. I added user backuppc to the psaserv group: $ groups backuppc backuppc : backuppc psaserv I chowned BackupPC_Admin to backupc:psaserv and removed write permissions: -r-sr-x--- 1 backuppc psaserv 3912 Jun 7 11:48 BackupPC_Admin I can execute this as user backuppc, apache and root, but still it's not working when I access it through a browser. I'm slowly starting to go nuts from this... Nils Breunese. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
On Thu, 2006-06-08 at 08:35, Nils Breunese (Lemonbit Internet) wrote: Does the running httpd retain the apache group? Maybe you need to change the group to psaserv. If you aren't in the right group you can't execute this. I added user backuppc to the psaserv group: $ groups backuppc backuppc : backuppc psaserv I chowned BackupPC_Admin to backupc:psaserv and removed write permissions: -r-sr-x--- 1 backuppc psaserv 3912 Jun 7 11:48 BackupPC_Admin I can execute this as user backuppc, apache and root, but still it's not working when I access it through a browser. I'm slowly starting to go nuts from this... Is there a more informative error in the httpd error_log now? A brute-force way to debug is to 'strace -p ' one of the httpd process id's, then hit the page until that process handles it, then look for failed systems calls where you might be able to see what file it is trying to access. -- Les Mikesell [EMAIL PROTECTED] ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
Les Mikesell wrote: -r-sr-x--- 1 backuppc psaserv 3912 Jun 7 11:48 BackupPC_Admin I can execute this as user backuppc, apache and root, but still it's not working when I access it through a browser. I'm slowly starting to go nuts from this... Is there a more informative error in the httpd error_log now? No. I get this in my browser window: 500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. And in error_log I find: [Thu Jun 08 15:30:17 2006] [error] [client xxx.xxx.xxx.xxx] Premature end of script headers: BackupPC_Admin That's all. When I reload the page I just get another one of those. A brute-force way to debug is to 'strace -p ' one of the httpd process id's, then hit the page until that process handles it, then look for failed systems calls where you might be able to see what file it is trying to access. I didn't find anything this way. I only keep hitting traces of the 404 error served for the favicon.ico. However, I thought of one more thing. I believe Plesk uses suexec for perl scripts. In the httpd.include for the vhost (generated by Plesk) I find: SuexecUserGroup lemonbitbackup psacln Could this maybe override the setuid on BackupPC_Admin? In /var/log/ httpd/suexec_log I find: [2006-06-08 15:57:52]: uid: (10011/lemonbitbackup) gid: (10001/10001) cmd: BackupPC_Admin [2006-06-08 15:57:52]: file is either setuid or setgid: (/var/www/ vhosts/backup.lemonbit.nl/cgi-bin/BackupPC_Admin) Could it be that that SuexecUserGroup directive somehow overrides the setuid bit on BackupPC_Admin? Thanks for the great help so far, Nils Breunese. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
On Thu, 2006-06-08 at 16:04 +0200, Nils Breunese (Lemonbit Internet) wrote: I didn't find anything this way. I only keep hitting traces of the 404 error served for the favicon.ico. However, I thought of one more thing. I believe Plesk uses suexec for perl scripts. In the httpd.include for the vhost (generated by Plesk) I find: SuexecUserGroup lemonbitbackup psacln Could this maybe override the setuid on BackupPC_Admin? In /var/log/ httpd/suexec_log I find: [2006-06-08 15:57:52]: uid: (10011/lemonbitbackup) gid: (10001/10001) cmd: BackupPC_Admin [2006-06-08 15:57:52]: file is either setuid or setgid: (/var/www/ vhosts/backup.lemonbit.nl/cgi-bin/BackupPC_Admin) Could it be that that SuexecUserGroup directive somehow overrides the setuid bit on BackupPC_Admin? Thanks for the great help so far, I've never used it but it seems likely - or that it just refuses to run anything with the setuid bit set. Maybe the Plesk way of doing things would be to change the backuppc user (and ownership of everything related) to match the lemonbitbackup user that Plesk created. Is this supposed to be something that saves you time...? -- Les Mikesell [EMAIL PROTECTED] ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
On Wednesday 7 June 2006 17:07, Nils Breunese (Lemonbit Internet) wrote: I have set up a vhost backup.lemonbit.nl through Plesk and this automatically creates a /var/www/vhosts/backup.lemonbit.nl/cgi-bin/ directory as this domain's cgi-bin directory. This is also the location I entered when running perl configure.pl and afterwards I indeed found BackupPC_Admin there: -r-sr-xr-- 1 backuppc backuppc 3912 Jun 7 11:48 BackupPC_Admin However, these are the permissions on the /var/www/vhosts/ backup.lemonbit.nl/cgi-bin directory: drwxr-x--- 2 lemonbitbackup psaserv 4096 Jun 7 15:42 cgi-bin Mine are (as stated in the docs): -rwsr-x--- 2 backuppc apache 3894 Apr 20 15:29 BackupPC_Admin I remember having to set ownership and permissions _exactly_ this way, otherwise it refused to work. To check, I did su - apache and tried to execute the cgi from the command line. Btw, I have apache server running as user apache and group apache. I don't think it's a vhost problem (but I might be wrong, I don't use vhosts on this computer). As for the cgi-bin dir, I think that ownership and permissions do not matter, as long as the user that apache is running as is able to enter the directory and execute the cgi. And, make sure that your perl has perlsuid support as explained in the BackupPC docs. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
On Wednesday 7 June 2006 17:44, Etaoin Shrdlu wrote: Mine are (as stated in the docs): -rwsr-x--- 2 backuppc apache 3894 Apr 20 15:29 BackupPC_Admin By the way, the docs list the permissions as -swxr-x---1 __BACKUPPCUSER__ web 82406 Jun 17 22:58 __CGIDIR__/BackupPC_Admin I think that should be -rwsr-x---1 __BACKUPPCUSER__ web 82406 Jun 17 22:58 __CGIDIR__/BackupPC_Admin with the s for the execute flag (not for the read), to mean setuid. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
Etaoin Shrdlu wrote: Mine are (as stated in the docs): -rwsr-x--- 2 backuppc apache 3894 Apr 20 15:29 BackupPC_Admin By the way, the docs list the permissions as -swxr-x---1 __BACKUPPCUSER__ web 82406 Jun 17 22:58 __CGIDIR__/BackupPC_Admin I think that should be -rwsr-x---1 __BACKUPPCUSER__ web 82406 Jun 17 22:58 __CGIDIR__/BackupPC_Admin with the s for the execute flag (not for the read), to mean setuid. I did the following: # chown backuppc:apache BackupPC_Admin # chmod 4750 BackupPC_Admin And now have: -rwsr-x--- 1 backuppc apache 3912 Jun 7 11:48 BackupPC_Admin However, the interface is still not working for me. Any more ideas? Nils. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
On Wed, 2006-06-07 at 17:07 +0200, Nils Breunese (Lemonbit Internet) wrote: However this machine is also running the Plesk 8 control panel. When it came to installing the CGI interface (a single file!) this is were I got stuck. As I understand, I can either run the CGI interface setuid backuppc or run a separate apache instance running as user backuppc using mod_perl. I thought the setuid way would be the easiest to get working, but I think Plesk may be getting in the way to much. I have set up a vhost backup.lemonbit.nl through Plesk and this automatically creates a /var/www/vhosts/backup.lemonbit.nl/cgi-bin/ directory as this domain's cgi-bin directory. This is also the location I entered when running perl configure.pl and afterwards I indeed found BackupPC_Admin there: -r-sr-xr-- 1 backuppc backuppc 3912 Jun 7 11:48 BackupPC_Admin However, these are the permissions on the /var/www/vhosts/ backup.lemonbit.nl/cgi-bin directory: drwxr-x--- 2 lemonbitbackup psaserv 4096 Jun 7 15:42 cgi-bin I don't know enough about plesk to help much. Does it run a separate httpd instance with a different uid for each virtual server? So: the backuppc user is not able to execute BackupPC_Admin as it cannot get to the script. All I get is 500 Internal Server Errors and my logs keep saying: Premature end of script headers: BackupPC_Admin I think you'd get a permission error logged if it is a permission error. Check your ScriptAlias in the httpd.conf for the vhost to see what happens to /cgi-bin requests. I believe however that if I change the ownership on the cgi-bin directory I can't execute any scripts at all. The cgi-bin directory (and all above) must have read and execute permission for the httpd server user. The BackupPC_Admin file must be owned by the backuppc user and have the setuid bit set. -- Les Mikesell [EMAIL PROTECTED] ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] PackupPC CGI interface and Plesk
On Wed, 2006-06-07 at 19:44 +0200, Nils Breunese (Lemonbit Internet) wrote: I don't know enough about plesk to help much. Does it run a separate httpd instance with a different uid for each virtual server? No, all httpd processes run as user apache. I think you'd get a permission error logged if it is a permission error. Check your ScriptAlias in the httpd.conf for the vhost to see what happens to /cgi-bin requests. The httpd.include file for the vhost aliases /cgi-bin/ to /var/www/ vhosts/domain/cgi-bin/, which is where configure.pl put BackupPC_Admin. I believe however that if I change the ownership on the cgi-bin directory I can't execute any scripts at all. The cgi-bin directory (and all above) must have read and execute permission for the httpd server user. The BackupPC_Admin file must be owned by the backuppc user and have the setuid bit set. Well, that sounds just like I have it setup. Here's a walk from / to the BackupPC_Admin file: drwxr-xr-x 24 root root 4096 Mar 26 16:00 var drwxr-xr-x 9 rootroot4096 Jan 5 19:34 www drwxr-xr-x 10 root root 4096 Jun 7 10:35 vhosts drwxr-xr-x 14 root root 4096 Jun 7 10:35 backup.lemonbit.nl drwxr-x--- 2 lemonbitbackup psaserv 4096 Jun 7 15:42 cgi-bin -rwsr-x--- 1 backuppc apache 3912 Jun 7 11:48 BackupPC_Admin ^^ Does the running httpd retain the apache group? Maybe you need to change the group to psaserv. If you aren't in the right group you can't execute this. The apache user is a member of the psaserv group. I can execute BackupPC_Admin on the command line as user apache, but user backuppc cannot cd into the final directory, the cgi-bin directory. I believe this is the problem. I don't really see how to fix this cleanly though. I don't think that is necessary. You could test it by giving rx permission to 'other'. I'd turn off all 'w' access too. -- Les Mikesell [EMAIL PROTECTED] ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/