httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonas Meurer <>
Subject [users@httpd] mod_suexec with mod_userdir and fcgid (webapps in subdirs with separated user context)
Date Sun, 15 Apr 2018 10:26:55 GMT
Hello list,

I try to make web applications available in subfolders of one
VirtualHost, but each one in an isolated user context. All web apps are
PHP applications and I use mod_fcgid to run them.

Unfortunately, SuexecUserGroup is not not allowed in Directory context,
which would be by far the simples solution.

So to achieve my goal, I tried (and failed with) two different approaches:

1. Using mod_userdir together with mod_suexec
2. ProxyPass to separate localhost vhosts for each app

Since the first approach seems much cleaner and more straight forward to
me, I'd prefer that one.

Maybe you have other suggestions on how to achieve my goal?


Now to the problem I ran into with my first approach:

I have UserDir enabled for system user 'webapp1' and the UserDir path
set to '/var/www/*/www' (see the VirtualHost config below). This works
as expected, I can access static content from within the UserDir.

Additionally, I have fcgid configured for the UserDir and apparently the
php scripts are executed using suexec and php-cgi7.0. A suexec process
is spawned by user 'webapp1' when requesting a php file, but it
immediately turns into 'suexec <defunct>' (a zombie process).

In the apache2 error log shows:

uid: (1002/webapp1) gid: (1002/webapp1) cmd: php-fcgi-starter
cannot get docroot information (/var/www/webapp1)

And the apache2 suexec log:

[fcgid:warn] [pid 30884:tid 140484201527040] (104)Connection reset by
peer: [client] mod_fcgid: error reading data from
FastCGI server
[core:error] [pid 30884:tid 140484201527040] [client]
End of script output before headers: index.php

I double checked that all files under /var/www/webapp1 belong to
user+group 'webapp1' and that they're accessible. I even recursively set
world-readable permissions on the directory, which didn't change anything.

Do you have a good idea on why running php-cgi7.0 through fcgi with
suexec and userdir results in this suexec error 'cannot get docroot

Any hints and suggestions would be highly appreciated :)

The VirtualHost config (my current take) is as follows:

<VirtualHost *:443>
    Userdir disabled
    Userdir enabled webapp1
    UserDir /var/www/*/www

    <IfModule fcgid_module>
        <Directory /var/www/webapp1/www>
            AddHandler fcgid-script .php
            FCGIWrapper /var/www/webapp1/php-fcgi/php-fcgi-starter .php
            Options +ExecCGI

        IPCConnectTimeout 20
        IPCCommTimeout 60
        FcgidBusyTimeout 60
        MaxRequestLen 10485760

Looking forward to your responses.

Kind regards,

View raw message