In LiteSpeed admin interface do the following:

1. CloudLinux (Admin Console –> Configuration –> Server –> General): CageFS;
2. Enable SuExec: Server-> General -> PHP SuEXEC -> Yes;
3. LSPHP5 external app runs in SUEXEC non-daemon mode ONLY (Run On Start Up –> Yes or No);
4. In LSPHP5 external app (Admin Console –> Configuration –> Server –> External App –> lsphp5)

Change

command => $SERVER_ROOT/fcgi-bin/lsphp5

To

command => /usr/local/bin/lsphp

See screenshot below:

* In order to use PHP Selector and custom php.ini, lsphp5 needs to be in SuEXEC non-daemon mode.

** Some PHP configurations require more memory for SuEXEC to work properly. If you are getting error 500 after switching suEXEC to non-daemon mode, try to increase Memory Soft Limit and Memory Hard Limit for external App ( Admin Console –> Configuration –> Server –> External App –> lsphp5 ) to at least 650/800M.

NOTE:
If you are placing skeleton in /home directory on cPanel servers, you must configure the following option in cPanel WHM:
WHM -> Server Configuration -> Basic cPanel/WHM Setup -> Basic Config -> Additional home directories
Change the value to blank  (not default “home”).
Without changing this option, cPanel will create new accounts in incorrect places.

cagefsctl --disable-cagefs
cagefsctl --unmount-all

Verify that the following command gives empty output:

cat /proc/mounts | grep cagefs-skeleton

Verify that the directory cagefs-skeleton.bak does not exist (if it does exist – change name “cagefs-skeleton.bak” to something else):

ls -d /usr/share/cagefs-skeleton.bak

mv /usr/share/cagefs-skeleton /usr/share/cagefs-skeleton.bak

mkdir -m 0755 /home/cagefs-skeleton
ln -s /home/cagefs-skeleton /usr/share/cagefs-skeleton
cagefsctl --init
cagefsctl --enable-cagefs
cagefsctl --remount-all

Verify that the following command gives empty output:

cat /proc/mounts | grep cagefs-skeleton.bak

Now you can safely remove cagefs-skeleton.bak directory:

rm -rf /usr/share/cagefs-skeleton.bak

You can move home directories of the users in the following way:

cagefsctl --disable username1 username2
cagefsctl --unmount username1 username2

Move home directories to new location, edit /etc/passwd to reflect new path then enable cagefs:

cagefsctl --update-etc username1 username2
cagefsctl --enable username1 username2

Please be sure you remove CloudLinux features right way, here are links to documentation:

Removing OptimumCache

Removing mod_lsapi

Removing MySQL Governor

Removing CageFS

Removing PHP-Selector

Uninstalling CloudLinux

If you want to run Python scripts in CageFS and have them fully secure you will have to use suexec with CGI or suexec with FastCGI .

CageFS has a mechanism to make any additional location with users content available from inside. This is a quite useful way to share needed backup directories for users if you are giving ftp/ssh access to them. Also you can use this feature to provide access to /homeabc/username when /home/username is a symlink to it.

To enable this feature the following line should be added to /etc/cagefs/cagefs.mp file:

%/homeabc

Then remount all with:

cagefsctl --remount-all

After that a user can see both his /home/username and /homeabc/username from CageFS inside. Other directories in /homeabc as well as in /home will be still hidden for him.

Due to the fact that from time to time our Helpdesk meets requests related with some problems with CageFS, PHP Selector, Apache server etc., we present this article to describe how to configure these components using suPHP and FastCGI handlers on non-panel systems.

This is a practical manual of setting up FastCGI and suPHP in conjunction with CageFS + PHP Selector on a server with no panel installed.

It is assumed that our system has been converted and loaded with CloudLinux kernel. Since PHP Selector installation requires CageFS and LVE Manager installed in the system, let’s start with CageFS installation:

CageFS – is a virtual file system that includes a set of tools for each user, located in an isolated environment (cell). Each account has its own fully functional CageFS, with all the necessary system files and tools as if it is working in a real system.

To install CageFS run the command:

yum install cagefs

LVE Manager – is a plugin for most control panels, it is designed to enable setting limits for users and packages, as well as to control PHP Selector work. It must be installed obligatorily, to enable PHP Selector functions control via server console.

To install LVE Manager run the command:

yum install lvemanager

CageFS setup

To create CageFS file system run the command:

cagefsctl --init

CageFS provides two modes of operation:

1. Enable all, except disabled.
2. Disable all, except enabled.

Select “Enable All” mode, then all current and new users will be added automatically to CageFS:

cagefsctl --enable-all

Add a user (if it does not exist in the system), to configure VirtualHost for:

adduser [username]

Install native PHP:

yum install php

Install PHP Selector:

yum groupinstall alt-php

Open configuration file httpd.conf and make the following changes:

nano /etc/httpd/conf/httpd.conf

In the end of the configuration file add a unit in charge of the neeed web-site, and before this unit, add another one which will handle requests to all the typos and non-existing addresses:

<VirtualHost *:80>
ServerName default
DocumentRoot /var/www/html
</VirtualHost>


<VirtualHost *:80>
ServerAdmin cl-srv@test.org
DocumentRoot "/home/stat/public_html"
ServerName stat.local
ServerAlias http://www.stat.local
ErrorLog "/home/stat/public_html/logs/error.log"
CustomLog "/home/stat/public_html/logs/access.log" common
ScriptAlias /cgi-bin/ "/home/stat/public_html/cgi-bin/"
SuexecUserGroup stat stat

<Directory "/home/stat/public_html/">
Options -Indexes FollowSymLinks +ExecCGI
AllowOverride AuthConfig FileInfo
AddHandler php5-fastcgi .php
Action php5-fastcgi /cgi-bin/php.fcgi
Order allow,deny
Allow from all
</Directory>

<Directory "/home/stat/public_html/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

</VirtualHost>

NOTE! You must uncomment NameVirtualHost*:80 option, otherwise only the first web-site in the list will work:

NameVirtualHost *:80

Create a directory to locate our web-site, create cgi-bin subdirectory in its user’s home directory:

mkdir -p /home/stat/public_html/cgi-bin

mkdir /home/stat/public_html/logs/

Create phpinfo.php file to check your web-site settings:

nano /home/stat/public_html/phpinfo.php

<?php phpinfo(); ?>

Create php-cgi file in cgi-bin folder with the following content:

cd /home/stat/public_html

nano cgi-bin/php.fcgi

With content:

#!/bin/bash
PHP_CGI=/usr/bin/php-cgi
PHP_FCGI_CHILDREN=4
PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_CHILDREN
export PHP_FCGI_MAX_REQUESTS
exec $PHP_CGI

Give executable access:

chmod +x cgi-bin/php.fcgi

Assign ownership for user directory stat:

chown -R stat: stat ../public_html/

Do not forget to add the rule to iptables for port 80:

nano /etc/sysconfig/iptables

-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT

service iptables restart

If you have the following error in Apache log:

# Tail -f /home/stat/public_html/logs/error.log

(13) Permission denied: access to / denied

(13) Permission denied: access to /favicon.ico denied

Then, open configuration file /etc/httpd/conf/httpd.conf and change AllowOverride option value from None to All:

<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>

Then restart httpd:

service httpd restart

If you see the following error in log file:

# tail -f /home/stat/public_html/logs/error.log

(13)Permission denied: /home/stat/.htaccess pcfg_openfile: unable to check htaccess file,

(13)Permission denied: /home/stat/.htaccess pcfg_openfile: unable to check htaccess file,

Give access to user directory (700 by default)

chmod 711 /home/stat/

If you see Internal Server Error on phpinfo page and you see the following errors in the log file:

Premature end of script headers: php.fcgi

suexec policy violation: see suexec log for more details

Premature end of script headers: php.fcgi

 

This problem stems from the fact that suexec refers to the directory /var/www by default:

suexec -V

-D AP_DOC_ROOT=”/var/www”

-D AP_GID_MIN=100

-D AP_HTTPD_USER=”apache”

-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”

-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”

-D AP_UID_MIN=500

-D AP_USERDIR_SUFFIX=”public_html”

-D AP_SAFE_DIRECTORY=”/usr/local/safe-bin”

Since we locate users’ sites in /home, we need to rebuild suexec.

Perform the following steps:

Download rpm package:

cd /tmp/
wget http://repo.cloudlinux.com/cloudlinux/6 ... ux.src.rpm

Install additional programs which we will need to build the package:

yum install rpm-build -y
yum install redhat-rpm-config -y
yum install gcc libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel -y

Install Suexec:

mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir /root/rpmbuild' > ~/.rpmmacros
rpm -ivh httpd-2.2.15-29.el6_4.cloudlinux.src.rpm
cd ~/rpmbuild/SPECS/
rpmbuild -ba httpd.spec
cd ../BUILD/httpd-2.2.15/
./configure --with-pcre=/usr/bin/pcre-config --enable-suexec --with-suexec --with-suexec-caller=apache --with-suexec-docroot=/home --with-suexec-logfile=/var/log/httpd/suexec.log --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=500 --enable-pie --with-pcre-with-pcre

make
cp ./support/suexec /usr/sbin/suexec
chown root:apache /usr/sbin/suexec
chmod 4510 /usr/sbin/suexec
service httpd restart

Method 2 (package rebuild from tar.gz archive).

yum install gcc libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel -y
cd ~
wget https://archive.apache.org/dist/httpd/httpd-2.4.6.tar.gz
tar -zxvf httpd-2.4.6.tar.gz
cd httpd-2.4.6/
find . -name suexec.h
nano ./support/suexec.h

Change value for parameter:

#define AP_DOC_ROOT DEFAULT_EXP_HTDOCSDIR –>> #define AP_DOC_ROOT “/home”

#define AP_HTTPD_USER “www” –>> #define AP_HTTPD_USER “apache”

#define AP_UID_MIN 100 –>> #define AP_UID_MIN 500

#define AP_LOG_EXEC DEFAULT_EXP_LOGFILEDIR “/suexec_log” /* Need me? */ –>> #define AP_LOG_EXEC “/var/log/httpd/suexec.log” /*Need me?*/

./configure
make suexec
cp ./support/suexec /usr/sbin/suexec
chown root:apache /usr/sbin/suexec
chmod 4510 /usr/sbin/suexec
service httpd restart

Finally, we can check phpinfo page to make sure everything is configured fine:

http://stat.local/phpinfo.php

To change PHP version from console, use the command:

cl-selector --select=php --version=5.3 --user=stat

Installation and setup of a server using suPHP

To switch on suPHP, you should install mod_suphp package on the server from CloudLinux repository, as it already contains all the necessary patches:

yum install mod_suphp

After installation check /etc/suphp.conf file for correct matching the lines:

If something is wrong then present them to a form as is in the figure, all the rest settings remain unchanged:

[global]

logfile=/var/log/httpd/suphp_log

loglevel=info

webserver_user=apache

docroot=/

env_path=/bin:/usr/bin

umask=0077

min_uid=500

min_gid=500


; Security options

allow_file_group_writeable=false

allow_file_others_writeable=false

allow_directory_group_writeable=false

allow_directory_others_writeable=false


;Check wheter script is within DOCUMENT_ROOT

check_vhost_docroot=true


;Send minor error messages to browser

errors_to_browser=false


[handlers]

;Handler for php-scripts

x-httpd-php="php:/usr/bin/php-cgi"


;Handler for CGI-scripts

x-suphp-cgi="execute:!self"

Open file /etc/httpd/conf.d/suphp.conf and comment in it all the lines except:

LoadModule suphp_module modules/mod_suphp.so

Open our file /etc/httpd/conf/httpd.conf  and present VirtualHost to a form:

<VirtualHost *:80>
ServerAdmin cl-srv@test.org
DocumentRoot "/home/stat/public_html"
ServerName stat.local
ServerAlias http://www.stat.local
ErrorLog "/home/stat/public_html/logs/error.log"
CustomLog "/home/stat/public_html/logs/access.log" common
suPHP_Engine on
suPHP_UserGroup username group
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
</VirtualHost>

After that save the settings and restart Apache:

service httpd restart

The installation is finished.

To check suPHP use the following script:

# nano w.php

<?php

echo "Output of the 'whoami' command:<br /><br />";
echo exec('/usr/bin/whoami');

?>

At the end update :

cagefsctl --force-update

If you get 500 Internal Server Error addressing php page and you see the following error in site log:

Premature end of script headers: w.php

Then check access type: directories access type should be 755, files access type should be 644.

Make sure you are in user’s folder and run the following commands:

find . * -type d -exec chmod 0755 {} +
find . * -type f -exec chmod 0644 {} +

Patching Apache with suexec not from CLN repository

yum remove httpd -y
cd /tmp
wget http://vault.centos.org/6.5/updates/Sou ... os.src.rpm
wget http://repo.cloudlinux.com/cloudlinux/s ... hes.tar.gz
tar -xzvf cl-apache-patches.tar.gz
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir /root/rpmbuild' > ~/.rpmmacros
rpm -ivh httpd-2.2.15-31.el6.centos.src.rpm
cd ~/rpmbuild/SPECS/
rpmbuild -ba httpd.spec
cd ../BUILD/httpd-2.2.15/
cp /tmp/suexec.patch ./
patch -p1 < suexec.patch
autoconf
./configure --with-pcre=/usr/bin/pcre-config --enable-suexec --with-suexec --with-suexec-caller=apache --with-suexec-docroot=/home --with-suexec-logfile=/var/log/httpd/suexec.log --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=500 --enable-pie --with-pcre-with-pcre
make
cp ./support/suexec /usr/sbin/suexec
chown root:apache /usr/sbin/suexec
chmod 4510 /usr/sbin/suexec

When using LDAP to store userdata it requires additional configuration to work properly with CageFS. By default CageFS does not see LDAP user, like this:

# id adam
uid=16859(adam) gid=100(users) groups=100(users)
# cagefsctl --enable adam
Error: user adam does not exist

The problem is that in LDAP pwd.getpwall() function doesn’t work by default:

# python -c 'import pwd; print pwd.getpwall()' | grep adam
#
# python -c 'import pwd; print pwd.getpwnam("adam")'
pwd.struct_passwd(pw_name='adam', pw_passwd='*', pw_uid=16859, pw_gid=100, pw_gecos='adam', pw_dir='/home/adam', pw_shell='/bin/bash')

To fix it you should set enumerate=true  in sssd.conf file:

enumerate (bool)
Determines if the domain can be enumerated. This parameter can have following one of the values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE

During CageFS package installation or update all users with jailshell enabled will have it changed to regular /bin/bash in /etc/passwd .

This is done to avoid possible conflict with virtfs when non-cagefs user enters to virtfs, jailshell copies all mountpoints from cagefs-skeleton to /home/virtfs/$USER . Those mountpoints are duplicated for each user (approx 54 mount point per user).

/dev/sda1 /home/virtfs/korvin/usr/share/cagefs-skeleton/opt/alt ext4 ro,nosuid,relatime,barrier=1,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/sda1 /home/virtfs/korvin/usr/share/cagefs-skeleton/usr/lib ext4 ro,nosuid,relatime,barrier=1,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/sda1 /home/virtfs/korvin/usr/share/cagefs-skeleton/usr/lib64 ext4 ro,nosuid,relatime,barrier=1,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/sda1 /home/virtfs/korvin/usr/share/cagefs-skeleton/usr/include ext4 ro,nosuid,relatime,barrier=1,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/sda1 /home/virtfs/korvin/usr/local/cpanel/3rdparty/mailman/logs ext4 rw,relatime,barrier=1,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/proc/bus/usb /home/virtfs/korvin/usr/share/cagefs-skeleton/proc/bus/usb usbfs ro,nosuid,relatime 0 0

This could result in really large number of mountpoints which could lead to slow system performance. It is secure to provide bash access to users as long as you have CageFS enabled.

If you would like to make java available from CageFS inside you have to follow this sptes:

1. Create /etc/cagefs/conf.d/java.cfg and add needed binary files to it:

[java-custom]
comment=Java-custom
paths=/usr/bin/java, /etc/alternatives/java,/usr/java/jdk1.8.0_05/jre/bin/java

2. Add ‘/usr/java‘ into /etc/cagefs/cagefs.mp file

3. Update skeleton and remount all:

cagefsctl --force-update

cagefsctl --remount-all

To restore PHP-Selector options and alternate PHP version from backup (example user cltest3) you have to:

1. Restore ~cltest3/.cl.selector/ directory
2. Remove PHP-selector current files from cagefs directory:
   

   /usr/sbin/cagefsctl --getprefix cltest3

   04

   rm -rf /var/cagefs/04/cltest3/etc/cl.selector
   rm -rf /var/cagefs/04/cltest3/etc/cl.php.d

3. Run command to recreate configs:

   /usr/sbin/cagefsctl --force-update-etc cltest3

    

The easiest way is to use split approach.

But to achieve this, you need to add a username inside the directory you want to share:


# mkdir /sharedir
# ln -s /share_dir /sharedir/username
# ln -s /sharedir/username /usr/share/cagefs-skeleton/share_dir
# echo "%/sharedir" >> /etc/cagefs/cagefs.mp
# cagefsctl --remount-all


Please note that first you create empty ‘sharedir’ directory, and the actual content is located in ‘share_dir’

Issue symptoms

Some PHP scripts executed with cronjobs are not working properly, are interrupted or just hang.

Known affected website engines: Magento, CakePHP .

Cause

The issue is caused by PHP CGI binary is being called instead of PHP CLI version. It happens due to PATH environment variable does not contain /usr/local/bin/ .

Resolution

There are several ways to resolve the issue depending on which panel is used or if you edit cronjob via command line.

Call PHP CLI binary manually:

* * * * * /usr/local/bin/php /home/user/cronjob.php

Add /usr/local/bin/ to users crontab as:

PATH="/usr/local/bin/:/usr/bin:/bin"
* * * * * php /home/user/cronjob.php

Force exporting path variable right before executing PHP script:

* * * * * export PATH=$PATH:/usr/local/bin; php /home/user/cronjob.php

Note 1: Engines like CakePHP use app/Console/cake wrapper to define which PHP to call. You may need to modify the file and point to /usr/local/bin/php manually.

Note 2: On DirectAdmin panel to force specified path to be used for user cron jobs you have to create /usr/local/directadmin/data/templates/custom/cron_template.txt with the following content:

PATH=/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
SHELL=/bin/sh
MAILTO=|EMAIL|
|CRONS|

More: https://www.directadmin.com/features.php?id=621