suexec 与 chroot 环境

suexec 与 chroot 环境

我正在尝试让 chroot 的 Apache 环境与 suexec 一起运行 mod_fcgid 。

查看监狱内的 suexec 日志,包装器脚本的执行没有任何问题,但是,当我查看 Apache 的错误日志时,我看到以下错误;

suexec failure: could not open log file
fopen: Permission denied

苏执行日志;

[2013-06-20 01:15:39]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:16:30]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:16:39]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:18:07]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:22:21]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter

当我strace和 时phpsuexec他们不会抱怨任何丢失的库或文件。日志显示“无法打开日志文件”,但它显然会记录到监狱内的错误日志文件中。这个设置有什么问题吗?什么可能会触发此错误?

编辑 :

跟踪结果;

[pid  9912] rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER|SA_INTERRUPT, 0x7fca687fe500}, {SIG_DFL, [], 0}, 8) = 0
[pid  9912] chdir("/var/www/username/cgi-bin/") = 0
[pid  9912] execve("/usr/sbin/suexec", ["/usr/sbin/suexec", "500", "500", "php-fcgi-starter"], [/* 1 var */]) = 0
[pid  9912] brk(0)                      = 0x7f2d71e91000
[pid  9912] fcntl(0, F_GETFD)           = 0
[pid  9912] fcntl(1, F_GETFD)           = 0
[pid  9912] fcntl(2, F_GETFD)           = 0
[pid  9912] access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f2000
[pid  9912] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid  9912] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=13704, ...}) = 0
[pid  9912] mmap(NULL, 13704, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f2d715ee000
[pid  9912] close(3)                    = 0
[pid  9912] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid  9912] read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355\1\0\0\0\0\0"..., 832) = 832
[pid  9912] fstat(3, {st_mode=S_IFREG|0755, st_size=1916568, ...}) = 0
[pid  9912] mmap(NULL, 3745960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2d71041000
[pid  9912] mprotect(0x7f2d711cb000, 2093056, PROT_NONE) = 0
[pid  9912] mmap(0x7f2d713ca000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x189000) = 0x7f2d713ca000
[pid  9912] mmap(0x7f2d713cf000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f2d713cf000
[pid  9912] close(3)                    = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f9000
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715ed000
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715ec000
[pid  9912] arch_prctl(ARCH_SET_FS, 0x7f2d715ed700) = 0
[pid  9912] mprotect(0x7f2d713ca000, 16384, PROT_READ) = 0
[pid  9912] mprotect(0x7f2d715f3000, 4096, PROT_READ) = 0
[pid  9912] munmap(0x7f2d715ee000, 13704) = 0
[pid  9912] brk(0)                      = 0x7f2d71e91000
[pid  9912] brk(0x7f2d71eb2000)         = 0x7f2d71eb2000
[pid  9912] getuid()                    = 48
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] open("/etc/nsswitch.conf", O_RDONLY) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1688
[pid  9912] read(3, "", 4096)           = 0
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=13704, ...}) = 0
[pid  9912] mmap(NULL, 13704, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f2d715ee000
[pid  9912] close(3)                    = 0
[pid  9912] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid  9912] read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"..., 832) = 832
[pid  9912] fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0
[pid  9912] mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2d70e33000
[pid  9912] mprotect(0x7f2d70e3f000, 2097152, PROT_NONE) = 0
[pid  9912] mmap(0x7f2d7103f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f2d7103f000
[pid  9912] close(3)                    = 0
[pid  9912] mprotect(0x7f2d7103f000, 4096, PROT_READ) = 0
[pid  9912] munmap(0x7f2d715ee000, 13704) = 0
[pid  9912] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid  9912] fcntl(3, F_GETFD)           = 0x1 (flags FD_CLOEXEC)
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=952, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 952
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=952, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 952
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=520, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 520
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] open("/var/log/httpd/suexec.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=17043, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=17043, ...}) = 0
[pid  9912] lseek(3, 17043, SEEK_SET)   = 17043
[pid  9912] gettimeofday({1371690955, 897472}, NULL) = 0
[pid  9912] open("/etc/localtime", O_RDONLY) = 4
[pid  9912] fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
[pid  9912] fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f0000
[pid  9912] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2102
[pid  9912] lseek(4, -1337, SEEK_CUR)   = 765
[pid  9912] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 1337
[pid  9912] close(4)                    = 0
[pid  9912] munmap(0x7f2d715f0000, 4096) = 0
[pid  9912] write(3, "[2013-06-20 03:15:55]: uid: (500"..., 77) = 77
[pid  9912] setgid(500)                 = 0
[pid  9912] open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  9912] open("/etc/group", O_RDONLY|O_CLOEXEC) = 4
[pid  9912] fstat(4, {st_mode=S_IFREG|0644, st_size=520, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f0000
[pid  9912] lseek(4, 0, SEEK_CUR)       = 0
[pid  9912] read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 520
[pid  9912] read(4, "", 4096)           = 0
[pid  9912] close(4)                    = 0
[pid  9912] munmap(0x7f2d715f0000, 4096) = 0
[pid  9912] setgroups(1, [500])         = 0
[pid  9912] setuid(500)                 = 0
[pid  9912] getcwd("/var/www/username/cgi-bin", 4096) = 22
[pid  9912] chdir("/var/www")           = 0
[pid  9912] getcwd("/var/www", 4096)    = 9
[pid  9912] chdir("/var/www/username/cgi-bin") = 0
[pid  9912] lstat("/var/www/username/cgi-bin", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
[pid  9912] lstat("php-fcgi-starter", {st_mode=S_IFREG|0755, st_size=128, ...}) = 0
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] execve("php-fcgi-starter", ["php-fcgi-starter"], [/* 1 var */]) = -1 ENOENT (No such file or directory)
[pid  9912] open("/var/log/httpd/suexec.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
[pid  9912] write(2, "suexec failure: could not open l"..., 40) = 40
[pid  9912] write(2, "fopen: Permission denied\n", 25) = 25
[pid  9912] exit_group(1)               = ?

最后大约 20 行是服务器抛出错误的地方。

答案1

这看起来像是权限问题。具体来说,我相信 SUExec 要求该目录由同一用户拥有/var/www/html/var/www/cgi-bin/php5/php-fcgi-starter

我会确保它们都由 uid: 500 和 gid: 500 拥有,或者您特定的系统/设置适合使用的任何用户。

相关内容