Comment 1 Benedikt Böhm (RETIRED) 2007-09-08 17:13:42 UTC

i've just added mod_backtrace to the tree, please sync, emerge apache-2.2.6 with USE="debug", emerge mod_backtrace and enable it via -DBACKTRACE in /etc/conf.d/apache2. You should get a backtrace in /var/log/apache2/backtrace_log

Fix:

In file src/apache2/mod_suphp.c:

AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),

changing to:

AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),

As requested, I ran 'emerge --sync', and since I run pretty much pure ~x86, it updated portage, apache to 2.2.6, PHP to 5.2.4, APR to 1.2.11 & apr-util to 1.2.10.  I also ran 'emerge -1 mod_suphp' to ensure it was compiled for the latest apache, et al.  For the record, I did set Apache's USE=debug flag.

When all was said and done, I went to install mod_backtrace, and this is what I got:

>>> Compiling source in /var/tmp/portage/www-apache/mod_backtrace-0.0.1/work/mod_backtrace-0.0.1 ...
/usr/bin/libtool --silent --mode=compile i686-pc-linux-gnu-gcc -prefer-pic -march=pentium3 -O2 -pipe -fomit-frame-pointer  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2  -I/usr/include/apr-1   -I/usr/include/apr-1 -I/usr/include/db4.6 -I/usr/include/mysql  -c -o mod_backtrace.lo mod_backtrace.c && touch mod_backtrace.slo
mod_backtrace.c:82: error: expected ')' before '*' token
mod_backtrace.c: In function 'bt_register_hooks':
mod_backtrace.c:159: error: 'bt_exception_hook' undeclared (first use in this function)
mod_backtrace.c:159: error: (Each undeclared identifier is reported only once
mod_backtrace.c:159: error: for each function it appears in.)
apxs:Error: Command failed with rc=65536
.
 * 
 * ERROR: www-apache/mod_backtrace-0.0.1 failed.
 * Call stack:
 *   ebuild.sh, line 1654:   Called dyn_compile
 *   ebuild.sh, line 990:   Called qa_call 'src_compile'
 *   ebuild.sh, line 44:   Called src_compile
 *   ebuild.sh, line 1334:   Called apache-module_src_compile
 *   apache-module.eclass, line 364:   Called apache2_src_compile
 *   apache-module.eclass, line 257:   Called die
 * 
 * /usr/sbin/apxs2 -c mod_backtrace.c failed
 * If you need support, post the topmost build error, and the call stack if relevant.
 * A complete build log is located at '/var/tmp/portage/www-apache/mod_backtrace-0.0.1/temp/build.log'.
 * 

I'm kind of wondering if I hosed my system somehow.  Odd though, I have ran 'emerge -NDua world' and 'revdep-rebuild' and nothing appears askew.  If you want me to post an updated 'emerge --info' let me know.

I'm hoping the last comment prior to this one helps where my crashed compile does not.

Comment 4 Benedikt Böhm (RETIRED) 2007-09-09 07:34:03 UTC

fixed in 0.6.2-r2


(In reply to comment #3)
> When all was said and done, I went to install mod_backtrace, and this is what I
> got:

You probably synced too early, i have added the exception hook option to 2.2.6 after it was first added to the tree

This doesn't seem to have been fixed :-\

I did manage to get mod_backtrace installed, and I set my /etc/conf.d/apache2 options to include '-D DEBUG -D BACKTRACE'.  Upon starting Apache, it hangs... as if it is not going into the background.  The error_log shows it starting up, a bit slowly, but starting...  Upon accessing a webpage, the startup script that is hanging, dies:

# /etc/init.d/apache2 start
 * Starting apache2 ...
/lib/rcscripts/sh/rc-daemon.sh: line 231: 32051 Segmentation fault      /sbin/start-stop-daemon '--start' '--exec' '/usr/sbin/apache2' '--' '-D' 'DEFAULT_VHOST' '-D' 'ERRORDOCS' '-D' 'INFO' '-D' 'LANGUAGE' '-D' 'DEBUG' '-D' 'BACKTRACE' '-D' 'SUEXEX' '-D' 'PERL' '-D' 'AUTH_MYSQL' '-D' 'LIMITIPCONN' '-D' 'SUPHP' '-d' '/usr/lib/apache2' '-f' '/etc/apache2/httpd.conf' '-k' 'start'           [ !! ]

Nothing else in error_log, and no backtrace.log file.

I removed '-D DEBUG' from /etc/conf.d/apache2  and left '-D BACKTRACE' in place.  Apache started up without any issues, and no errors.  Attempted to access a webpage, and I received the following in the error_log:

[Sun Sep 09 16:58:06 2007] [notice] child pid 32220 exit signal Segmentation fault (11)

The content of the 'backtrace_log' file contained the following:

[Sun Sep  9 16:58:05 2007] pid 32220 mod_backtrace backtrace for sig 11 (thread "pid" 32220)
[Sun Sep  9 16:58:05 2007] pid 32220 mod_backtrace main() is at 80660f0
/usr/lib/apache2/modules/mod_backtrace.so[0xb7799a43]
[0x70655320]
[Sun Sep  9 16:58:05 2007] pid 32220 mod_backtrace end of backtrace


Currently used programs:

app-admin/apache-tools-2.2.6
www-servers/apache-2.2.6
app-admin/php-toolkit-1.0-r2
dev-lang/php-5.2.4
www-apache/mod_suphp-0.6.2-r2
www-apache/mod_auth_mysql-3.0.0-r2
www-apache/mod_backtrace-0.0.1
www-apache/mod_limitipconn-0.22-r1
www-apache/mod_perl-2.0.3-r1
www-apache/mod_security-2.1.2
www-apache/mod_suphp-0.6.2-r2


Since I modified my system a small bit, here's an updated 'emerge --info':

Portage 2.1.3.9 (default-linux/x86/2007.0, gcc-4.2.0, glibc-2.6.1-r0, 2.6.22-gentoo-r5 i686)
=================================================================
System uname: 2.6.22-gentoo-r5 i686 Pentium III (Katmai)
Timestamp of tree: Sun, 09 Sep 2007 18:20:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.0.31-r7
dev-lang/python:     2.4.4-r4, 2.5.1-r2
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.10-r4
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18.50.0.1
sys-devel/gcc-config: 1.4.0-r2
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps y "
FEATURES="ccache distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="http://gentoo.mirrors.easynews.com/linux/gentoo/ http://mirror.espri.arizona.edu/gentoo/ ftp://gentoo.cites.uiuc.edu/pub/gentoo/ http://gentoo.cites.uiuc.edu/pub/gentoo/"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"
USE="acl apache2 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm iconv imap ipv6 isdnlog libwww maildir mailwrapper midi mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection sasl session snmp spl ssl tcpd threads truetype truetype-fonts type1-fonts unicode x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

FYI, I tried to upgrade my production server (stable x86 with few ~x86 packages), thinking that my test box that has all packages set to the ~x86 mask, might be broken.  As I figured, suphp/apache stopped working as my test box.  

I received the same signal 11 errors, and also an error in trying to install mod_backtrace into Apache 2.2.4-r12.  I am guessing this might be due to you requesting Apache 2.2.6 be used, though, as a production server, I couldn't afford to have further downtime, and I am currently downgrading back to Apache 2.0.59.

Below is my production server's 'emerge --info':

Portage 2.1.2.12 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 i686)
=================================================================
System uname: 2.6.22-gentoo-r2 i686 AMD Athlon(tm) processor
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 09 Sep 2007 09:50:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps y "
FEATURES="ccache distlocks metadata-transfer sandbox sfperms strict userpriv"
GENTOO_MIRRORS="http://gentoo.mirrors.easynews.com/linux/gentoo/ http://mirror.espri.arizona.edu/gentoo/ ftp://gentoo.cites.uiuc.edu/pub/gentoo/ http://gentoo.cites.uiuc.edu/pub/gentoo/"
LANG="en_US"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="acl apache2 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm iconv imap ipv6 isdnlog libwww maildir mailwrapper midi mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection sasl session snmp spl ssl tcpd threads truetype truetype-fonts type1-fonts unicode vhosts x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Hi,

I have the same issue,

[ebuild   R   ] dev-lang/php-5.2.4_pre200708051230-r2  USE="berkdb bzip2 cgi cli crypt ctype curl ftp gd gdbm hash iconv imap mhash mysql ncurses nls pcntl pcre readline reflection session sockets spl sqlite ssl suhosin unicode xml zip zlib -adabas -apache2 -bcmath -birdstep -calendar -cdb -cjk -concurrentmodphp -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filter -firebird -flatfile -force-cgi-redirect -frontbase -gd-external -gmp -inifile -interbase -iodbc -ipv6 -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -msql -mssql -mysqli -oci8 -oci8-instant-client -odbc -pdo -pdo-external -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -solid -spell -sybase -sybase-ct -sysvipc -threads -tidy -tokenizer -truetype -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip-external" 6,981 kB
[ebuild   R   ] www-apache/mod_suphp-0.6.2-r2  USE="mode-paranoid -checkpath -mode-force -mode-owner" 0 kB


I tried using mod_backtrace with apache 2.2.6 but it segfaults when trying to start apache.

same things here...
In the backtrace log file is see this:

/usr/lib/apache2/modules/mod_backtrace.so[0xb794bb26]
[Tue Sep 11 13:46:02 2007] pid 7750 mod_backtrace end of backtrace
[Tue Sep 11 13:46:02 2007] pid 7763 mod_backtrace backtrace for sig 11 (thread "pid" 7763)
[Tue Sep 11 13:46:02 2007] pid 7763 mod_backtrace main() is at 8061b88
/usr/lib/apache2/modules/mod_backtrace.so[0xb794bb26]
[Tue Sep 11 13:46:02 2007] pid 7763 mod_backtrace end of backtrace
[Tue Sep 11 13:46:03 2007] pid 7767 mod_backtrace backtrace for sig 11 (thread "pid" 7767)
[Tue Sep 11 13:46:03 2007] pid 7767 mod_backtrace main() is at 8061b88
/usr/lib/apache2/modules/mod_backtrace.so[0xb794bb26]
[Tue Sep 11 13:46:03 2007] pid 7767 mod_backtrace end of backtrace

If you want more infos as already in this bug report I can provide them.

Alexander,

Did you recompile apache with USE="debug" and enable -D DEBUG in /etc/conf.d/apache2?  Because I got the same output as you without doing those steps, and as far a debugging info goes it looks pretty meaningless =)  at least to me anyway.  When trying to run mod_backtrace with debugging compiled into apache and enabled, I got a segfault trying to start apache.. is that the same for you?

Mark

(In reply to comment #9)

Mark,
no I did not used the -D DEBUG option. With it my apache hangs while starting. But hollow has not said that it has to be enabled... Or have i overread that?

(In reply to comment #10)
> Mark,
> no I did not used the -D DEBUG option. With it my apache hangs while starting.
> But hollow has not said that it has to be enabled... Or have i overread that?
>

Without -D DEBUG it will not log any debug information.

Regards,

Mark

Comment 12 Benedikt Böhm (RETIRED) 2007-09-14 14:01:18 UTC

at least the default configuration does not include any DEBUG defines ... although this is the debian patch which was reported as working to me it still is broken, i'll have to setup a suphp setup first to investigate ..

Comment 13 Benedikt Böhm (RETIRED) 2007-09-15 10:37:46 UTC

i tried to setup mod_suphp, but it does neither segfault nor work after two hours of playing around ... so, if anyone has a fix, i will add it, but no time to play with this crap anymore now

I'd provide a fix if I could... but I'm not a coder.  I will retry enabling DEBUG with BACKTRACE and recompiling forever, to try and get a good backtrace log.  So far, Apache never fully starts up, and segfaults if I enable both *and* try to connect to a webpage before it fully starts up (it never states "Apache/2.2.6 configured -- resuming normal operations" or the like when trying to enable DEBUG & BACKTRACE).

Using SuPHP is fairly important to me, as it is a far better alternative than SuEXEC at providing security options with PHP, moreso than installing as a DSO module.  Just my own needs though.  I already have it running without any issues whatsoever on Slackware & CentOS, so it seems to be something with the way the Gentoo packaging :-\

Comment 15 Benedikt Böhm (RETIRED) 2007-09-15 17:59:26 UTC

have you considered to use the general (and IMO much saner) approach of mpm-itk or mpm-peruser for executing things under the right UID/GID?

I used to use SuEXEC, but then PHP scripts need to be chmod 755 to be used, and I dislike things being chmod 755 on a filesystem if they don't have to be executable.  Using SuEXEC, I'd also have to pull off tricks like:

echo ':PHP:E::php::/usr/local/bin/php:' > /proc/sys/fs/binfmt_misc/register
echo ':PHP3:E::php3::/usr/local/bin/php:' > /proc/sys/fs/binfmt_misc/register
echo ':PHP4:E::php4::/usr/local/bin/php:' > /proc/sys/fs/binfmt_misc/register

Secondly, while I have been criticized for using Gentoo on a production server, it has served my needs, very, VERY well, and for production servers, I don't want software that is still not widely tested.  SuPHP somewhat falls into this category, but has tested out perfectly in many environments, from CentOS (RHES) to Slackware.  mod_itk & mod_peruser both admit to not being fully tested/usable, and possibly not completely ready for stable environments.  Case in point, mod_peruser has experimental support fro SSL (http://www.telana.com/peruser.php), which I require to be stable and usable.  mod_itk's warnings & quirks (http://mpm-itk.sesse.net/) also set me slightly on edge.  

What I need, is something that executes PHP using the UID/GID of the owner of the script, and locks the user inside of their directory.  I don't want them to access /etc/passwd or anything outide of their home directory.  I'd like hosting customers to come to my system, and not have to learn to set PHP scripts to chmod 755 or require them to put everything in a php/ subdirectory or any weird stuff.  SuPHP is everything SuEXEC is, but better, and made for PHP.

mod_itk seems to run scripts as the user, but doesn't mention jailing the user within directories, or ensuring only chmod 640 scripts are parsed/executed... mod_peruser seems to say they do, but again, SSL support is experimental.

On another note, I did remove mod_suphp from my Gentoo systems, and installed it manually from source, without using emerge.  It installed and apache didn't complain, except I still received the segfault (11) error on Apache child processes.  This leads me to believe it is something in Gentoo's Apache build.  While I wish I could unmerge Apache and install from source, then emerge suPHP, it'd break everything that requires apache in my ebuilds.  I do know however, that Apache2.2 & suPHP work together... as I have it running fine on two systems, one CentOS5, and the other Slackware 12.0.

The frustrating part is, when I enable the debug module (via '-D DEBUG' in /etc/conf.d/apache2) and run "/etc/init.d/apache2 start" it never fully starts, just hangs.  Connecting to a webpage, then crashes it:

# /etc/init.d/apache2 start
 * Starting apache2 ...
/lib/rcscripts/sh/rc-daemon.sh: line 231: 27823 Segmentation fault      /sbin/start-stop-daemon '--start' '--exec' '/usr/sbin/apache2' '--' '-D' 'DEFAULT_VHOST' '-D' 'ERRORDOCS' '-D' 'INFO' '-D' 'LANGUAGE' '-D' 'DEBUG' '-D' 'SUPHP' '-d' '/usr/lib/apache2' '-f' '/etc/apache2/httpd.conf' '-k' 'start'

Thanks for your continued testing... if I can help in any way whatsoever to further diagnose and troubleshoot these issues, let me know.

I can confirm that Apache 2.2.3/SuPHP works on the latest debian-testing, so yeah it must be the Gentoo Apach ebuild.

I have tried to use mpm-peruser but for some reason the latest php ebuild on gentoo doesn't seem to emerge properly with USE="apache2".  I emerged'd it, it compiles and then gets to the point where the source is built and just starts recompiling again!  Very odd.

Really wish this bug could be fixed soon, but i can't complain as I'm not doing much to help :P

Comment 18 Benedikt Böhm (RETIRED) 2007-09-18 05:43:34 UTC

i'm still not sure what -D DEBUG does for you, because it does not exist in our configuration:

apache22t / # grep DEBUG -r /etc/apache2/
apache22t / # 

Comment 19 Benedikt Böhm (RETIRED) 2007-09-18 05:47:49 UTC

and regarding suphp: i don't get segfaults, but i seem to be too dumb to set it up, the suphp_log says 'Executing "/var/www/localhost/htdocs/info.php" as UID 81, GID 81' but i get a "500 Internal Server" error back with nothing in the logs. the strange thing is: if i try to strace apache with suphp, i get "SecurityException in Application.cpp:168: Do not have root privileges. Executable not set-uid root?" in the logs, but suphp is setuid root. so either i'm too dumb, or i hit another problem ...

Benedikt,

(In reply to comment #19)
> and regarding suphp: i don't get segfaults, but i seem to be too dumb to set it
> up, the suphp_log says 'Executing "/var/www/localhost/htdocs/info.php" as UID
> 81, GID 81' but i get a "500 Internal Server" error back with nothing in the
> logs. the strange thing is: if i try to strace apache with suphp, i get
> "SecurityException in Application.cpp:168: Do not have root privileges.
> Executable not set-uid root?" in the logs, but suphp is setuid root. so either
> i'm too dumb, or i hit another problem ...
> 

That sounds like its configured wrong.  81 is the uid and gid of the Apache user, SuPHP is meant to execute PHP scripts as other users.  I think the user has to be above uid 1000 too.  Try creating a new user and group, and specify them in the apache <VirtualHost> block:

suPHP_UserGroup <username> <groupname>

Also check that all the code in the htdocs directory for that website is chown'd to that user and group, and ensure you have -D SUPHP set in /etc/conf.d/apache2 and that -D PHP5 is _NOT_ set as this will activate the DSO module and break suphp.  Also check that the path to the php5-cgi binary is correct in /etc/suphp.conf.

If you still have problems please post your /etc/suphp.conf

& btw -D DEBUG won't exist in your apache config unless you compile apache with USE="debug"

Regards,

Mark

Comment 21 Benedikt Böhm (RETIRED) 2007-09-18 09:12:17 UTC

(In reply to comment #20)
> Also check that the path to the php5-cgi binary is
> correct in /etc/suphp.conf.

I feel so dumb. Of course i need USE=cgi for php!

So ... it works pretty well here, no segfaults, right UID etc ... *shrug*

Did you recompile all modules after upgrading to 2.2? To find all your module packages use sth like "qfile -qC /usr/lib/apache2/modules/*.so|sort -u"

> & btw -D DEBUG won't exist in your apache config unless you compile apache with
> USE="debug"

not with our default config... we just enable maintainer-mode in ./configure with USE=debug, there are no configuration changes we make

> Did you recompile all modules after upgrading to 2.2? To find all your module
> packages use sth like "qfile -qC /usr/lib/apache2/modules/*.so|sort -u"

I don't have the 'qfile' command, and google wasn't very helpful.  What package is this in?

I am setting up a test system in vmware to see if I can get this working with a fresh install of apache/php etc.

Will post back here with results.

Mark

(In reply to comment #21)
> Did you recompile all modules after upgrading to 2.2? To find all your module
> packages use sth like "qfile -qC /usr/lib/apache2/modules/*.so|sort -u"

# qfile -qC /usr/lib/apache2/modules/*.so|sort -u
www-apache/mod_cband
www-apache/mod_suphp
www-servers/apache

The only module not recompiled was mod_cband but this was never enabled anyway.  I think there is something else at fault here..  im still setting up my test system, if that still segfaults maybe I can give you access to it Benedikt, if you're willing to have a look?  It's vmware so won't contain any critical data.

Mark

Comment 24 Benedikt Böhm (RETIRED) 2007-09-18 09:45:32 UTC

yeah, we can debug that, but since debugging apache is rather hard i'd suggest you stop by in irc.freenode.net #gentoo-apache and we can go through it ... currently at railsconf, will be availabe at about 6pm CEST ..

(In reply to comment #24)
> yeah, we can debug that, but since debugging apache is rather hard i'd suggest
> you stop by in irc.freenode.net #gentoo-apache and we can go through it ...
> currently at railsconf, will be availabe at about 6pm CEST ..

I think that's about 5pm BST which is when I finish work and start my 2-hour journey home :/  Are you around after 7pm BST?  (i think this would be 8pm CEST but not sure).

Failing that I can just email you with ssh details for my vmware test environment.. with a brand new installation of apache/suphp it is still segfaulting.

Mark

I have recompiled everything I could find that was apache related, including APR & APR-util.

In regards to your suphp config, it should use the UID/GID of the owner of the file you're trying to run, and it must be above the min UID/GID specified in suphp's config file.  Which is one thing Gentoo doesn't seem to do, is setup a default config for suphp in /etc/. If you want to try seeing what I'm getting, try these config/use flags that I have setup for Apache, PHP & suPHP:

=dev-lang/php-5* cli cgi discard-path force-cgi-redirect bcmath berkdb bzip2 calendar cjk crypt ctype curl exif filter flatfile ftp gd gdbm gmp hash iconv imap inifile ipv6 mhash mysql mysqli ncurses nls pcntl pcre pdo readline reflection session sharedext sharedmem simplexml snmp sockets spell spl sqlite ssl suhosin -sysvipc tidy tokenizer truetype unicode wddx xml xmlreader xmlwriter xsl zip zlib -concurrentmodphp -threads -fastbuild -apache -apache2 -adabas -birdstep -cdb -curlwrappers -db2 -dbase -dbmaker -debug -doc -empress -empress-bcs -esoob -frontbase -fdftk -firebird -gd-external -interbase -iodbc -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -msql -mssql -oci8 -oci8-instant-client -odbc -pdo-external -postgres -qdbm -recode -sapdb -soap -solid -sybase -sybase-ct -xmlrpc -xpm -yaz -zip-external

www-apache/mod_suphp checkpath mode-owner -mode-force -mode-paranoid

=www-servers/apache-2* mpm-prefork ssl -threads -mpm-worker -mpm-itk -mpm-peruser -mpm-event -selinux debug -doc -ldap -no-suexec


/etc/conf.d/apache2 options:

APACHE2_OPTS="-D DEFAULT_VHOST -D ERRORDOCS -D INFO -D LANGUAGE -D SUEXEC -D PERL -D AUTH_MYSQL -D LIMITIPCONN -D SUPHP"


For suPHP, you need a config file, and the following is what I have in /etc/suphp.conf:

[global]
;Path to logfile
logfile=/var/log/apache2/suphp_log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=apache

;Path to chroot() to before executing script
;chroot=/mychroot

;Path all scripts have to be in
docroot=/usr2

; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=true

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=1000

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-php=php:/usr/lib/php5/bin/php-cgi
x-httpd-php3=php:/usr/lib/php5/bin/php-cgi
x-httpd-php4=php:/usr/lib/php5/bin/php-cgi
x-httpd-php5=php:/usr/lib/php5/bin/php-cgi
x-httpd-phtml=php:/usr/lib/php5/bin/php-cgi

;Handler for CGI-scripts
x-suphp-cgi=execute:!self


and finally, /etc/apache2/modules.d/70_mod_suphp.conf:

<IfDefine SUPHP>
        <IfModule !mod_suphp.c>
                LoadModule suphp_module modules/mod_suphp.so
        </IfModule>

        <IfModule mod_mime.c>
                AddType application/x-httpd-php   .php
                AddType application/x-httpd-php5  .php5
                AddType application/x-httpd-php4  .php4
                AddType application/x-httpd-phtml .phtml
                AddType application/x-suphp-cgi   .cgi .pl
        </IfModule>

        AddHandler x-httpd-php   .php
        AddHandler x-httpd-php5  .php5
        AddHandler x-httpd-php4  .php4
        AddHandler x-httpd-phtml .phtml
        AddHandler x-suphp-cgi   .cgi .pl

        suPHP_Engine on

        <Location />
                SuPHP_AddHandler x-httpd-php
                SuPHP_AddHandler x-httpd-php5
                SuPHP_AddHandler x-httpd-php4
                SuPHP_AddHandler x-httpd-phtml
                SuPHP_AddHandler x-suphp-cgi
        </Location>

        # if you're using owner mode comment the following line
        #SuPHP_UserGroup apache apache

        AddDirectoryIndex index.php index.php5 index.php4 index.php3 index.phtml
</IfDefine>


As I've stated, I've tried this on two different Gentoo machines... one running pretty much all stable (non ~x86 mask) releases, and the other a goodly sum are ~x86/non-stable packages.  They're also completely different hardware.  However, I do use the same flags for both in /etc/portage/package.use & /etc/make.conf USE="..."

Hope that helps...

I just found a working solution in the suphp mailinglist:
http://article.gmane.org/gmane.comp.php.suphp.general/223

I did what was said in the post (changed --with-apr=/usr  to  --with-apr=/usr/bin/apr-1-config in the ebuild), and till now I did not recieved any segfault. Perhaps anyone else has also luck with this.

Work for me :)  nice one!

Yes, Alexander seems to have found the solution.

apache-2.0.* requires apr-0*, but apache-2.2.* requires apr-1*. Since they're both installed in parallel, and since apr-0* seems to be only required by mod_auth_nufw, which I don't use, I solved this problem by unmerging apr-0* and apr-util-0* and then reemerging apache, php and suphp. I don't know if it's necessary to reemerge all of them, but I did it anyway, and after that it worked fine.

Well I'll be ... !!  Thank you folks!

I too, unmerged apr-0* & apr-util-0*, re-emerged apache, php & mod_suphp, and it works!  I feel like a dolt for not trying, though the last time I tried removing apr-0*, it was required by something else and a new 'emerge -NDua world' or 'revdep-rebuild' ended up re-emerging that package.

Comment 31 Benedikt Böhm (RETIRED) 2007-09-20 06:31:09 UTC

do not resolve bugs if they're not fixed

Comment 32 Benedikt Böhm (RETIRED) 2007-09-20 06:35:17 UTC

0.6.2-r3 now in cvs

This breaks mod_suphp with 2.0.61 - segfaults on almost every access.

Comment 34 Benedikt Böhm (RETIRED) 2007-09-21 21:44:25 UTC

ok, will look at it tomorrow .. 

What's the status of this one? I also have problems with the default ebuild of mod_suphp-0.6.2-r3 under apache-2.0.59-r5. 

However, if I change 

			--with-apr=/usr/bin/$(apr_config)"

to

			--with-apr=/usr/bin/"

it seemed to work fine. I would just move up to apache-2.2.6, but I have to sort out that configuration on our test server before I load it onto our production server.

Do you have two versions of APR installed?  "equery l apr" should tell you if you have gentoolkit installed.  Apache-2.0 utilizes APR-0*, and Apache-2.2 utilizes APR-1*.  If you have both installed it will not work, and you will get segfaults.

(In reply to comment #36)
> Do you have two versions of APR installed?  "equery l apr" should tell you if
> you have gentoolkit installed.  Apache-2.0 utilizes APR-0*, and Apache-2.2
> utilizes APR-1*.  If you have both installed it will not work, and you will get
> segfaults.
> 

# equery l apr
[ Searching for package 'apr' in all categories among: ]
 * installed packages
[I--] [  ] dev-libs/apr-0.9.12 (0)
[I--] [  ] dev-libs/apr-1.2.8 (1)
[I--] [  ] dev-libs/apr-util-0.9.12-r1 (0)
[I--] [  ] dev-libs/apr-util-1.2.8 (1)
[I--] [  ] x11-proto/xf86dgaproto-2.0.2 (0)
[I--] [  ] x11-proto/xineramaproto-1.1.2 (0)

So I do have both installed however I also get this:
# equery depends '=dev-libs/apr-1.2.8'
[ Searching for packages depending on =dev-libs/apr-1.2.8... ]
dev-libs/apr-util-1.2.8 (~dev-libs/apr-1.2.8)
# equery depends '=dev-libs/apr-util-1.2.8'
[ Searching for packages depending on =dev-libs/apr-util-1.2.8... ]
dev-util/subversion-1.3.2-r4 (>=dev-libs/apr-util-1.2.8)

Unfortuneately, it would seem that *both* versions are dependancies for seperate installed ebuilds. Given this, the ebuild for mod_suphp would be better off checking on the installed version of apache and set the config value based on *that* rather then using the "apr_config" variable to get basically what the latest version is on the system which, like in this case, may not be the only one that is used.

Comment 38 Benedikt Böhm (RETIRED) 2008-01-27 20:59:32 UTC

apr-0 is now masked, i fixed mod_suphp to depend on apache-2.2 and use apr-1 only.