Hi all, Second post-installation question.
Just installed the Virtualmin module into my Webmin. First thing I want to do is disable BIND DNS and mail (for now). However ...
.. when I click save I get "Failed to save enabled features : Apache configuration file /etc/apache2/mods-enabled/php5.conf contains SetHandler lines that prevent PHP from running with domain owner permissions. These lines must be removed."
I'm trying to be security conscious here so would appreciate a little help on giving Virtualmin the minimum privileges it needs in order to do what it does. My current php5.conf has these FilesMatch entries
As far as I understand it, this directive channels requests for PHP files via to PHP engine.
SetHandler application/x-httpd-php
Not sure what this one is doing
SetHandler application/x-httpd-php-source
Deny access to raw php sources by default
To re-enable it's recommended to enable access to the files
only in specific virtual host or directory
Order Deny,Allow
Deny from all
Comment seems self-explanatory Deny access to files without filename (e.g. '.php')
Order Deny,Allow
Deny from all
Has anyone got two minutes to give me a steer on what these entries are currently doing and how I should give Virtualmin the necessary minimum privileges. Looks like my issue is with the second block, right?
Thanks Mark
Howdy,
You normally don't need either of those SetHandler lines.
They cause Apache to override any other settings, and to process incoming PHP requests using mod_php.
By default, Virtualmin comments out those lines during installation (note -- are you by chance using a non-standard PHP version? That's usually the cause for the error you're seeing, as a third-party PHP version can install it's own config overtop the Virtualmin-modified one)
When those are commented out, you would then be able to control how PHP is processed within your individual domains. By default, they will use FCGID, which is both speedy, and secure, as they are run with the rights of the Virtual Server owner.
But, you can also change it by going into Server Configuration -> Website Options, and there you can change the PHP Execution Mode.
-Eric
Hi, Thank you for the reply. I don't think there's anything particularly funky about my PHP installation. It was an out-of the box script on Digital Ocean. Top section of phpinfo() is like this:
PHP Version 5.5.9-1ubuntu4
System Linux web1.appliedweb.net 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64Build Date Apr 9 2014 17:08:00
Server API Apache 2.0 Handler
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php5/apache2
Loaded Configuration File /etc/php5/apache2/php.ini
Scan this dir for additional .ini files /etc/php5/apache2/conf.d
Additional .ini files parsed /etc/php5/apache2/conf.d/05-opcache.ini, /etc/php5/apache2/conf.d/10-pdo.ini, /etc/php5/apache2/conf.d/20-gd.ini, /etc/php5/apache2/conf.d/20-json.ini, /etc/php5/apache2/conf.d/20-mysql.ini, /etc/php5/apache2/conf.d/20-mysqli.ini, /etc/php5/apache2/conf.d/20-pdo_mysql.ini, /etc/php5/apache2/conf.d/20-phalcon.ini, /etc/php5/apache2/conf.d/20-readline.ini
PHP API 20121113
PHP Extension 20121212
Zend Extension 220121212
Zend Extension Build API220121212,NTS
PHP Extension Build API20121212,NTS
Debug Build no
Thread Safety disabled
Zend Signal Handling disabled
Zend Memory Manager enabled
Zend Multibyte Support provided by mbstring
IPv6 Support enabled
DTrace Support enabled
Registered PHP Streams https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls
Registered Stream Filters zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk
I've been out of the PHP saddle for about five years and am returning from the ASP.NET wilderness, so my eye is not yet back in :(.
I'll try just commenting out those SetHandlers and see if that sorts it. .. and then do a security audit before we go live ..
Thanks again for your help. Much appreciated. Mark
Howdy,
Yup, that's the correct PHP version for Ubuntu 14.04.
When running the install.sh, those SetHandler lines are normally commented out. It's possible that didn't work for some reason though.
It's safe to comment out those lines though, the configuration within each individual VirtualHost block in Apache will handle the PHP processing for your domains.
-Eric