Running Apache's suEXEC

[boen_robot]

Is there any way I could run suEXEC (or should I say Apache's mod_suexec) on Windows 2003? If I must compile it, how would I do that for Windows 2003 (I have Microsoft Visual Studio 2005 Professional)?I'm asking because at work, we plan to buy a new, more powerful server, and I've been given complete freedom to do whatever I want with it (yupee!).Now, what I'd really like to enable us and our customers there to do is to turn us into a web hosting company. I already have all the software that I need for that (Apache, PHP, MySQL, hMailServer, warFTP) and a (local) DNS under my full control (with plans to buy a real domain name), but there's still one (sort of) problem that remains. And that's the OS. I plan to use Windows 2003, mostly because that's the only server specialized OS that I'm familiar with (at least partially). Using anything *nix scares the heck out of me. Not to mention I'd hate to seek some new programs, and build them (an operation I've never been fond of).So, having said all that, I realize that allowing users to use PHP directly is a security risk. So, I'd like to minimize that risk by using (something like) suEXEC to run PHP scripts as their owner. I think I could make it so that when a user is registered, I register their name and privilages with the OS (any way with CLI and/or COM and/or a PECL extension?), and somehow adjust apache to treat the directory name as the username for suEXEC (I think this part may be the harder, but being able to run PHP with any non-root privilages is still something).If I'm on the wrong path here, how exactly could I make PHP scripts run as a specific user under Windows 2003? I'd like to install PHP as an Apache module if possible.

[boen_robot]

A week, and no single response... oh boy... I knew this is a tough one.Is there ANY way I could implement this on Windows 2003? PHP running with non-root privilages I mean?If I have to use Linux, which distribution would you reccomend for a web host? Which OS would be able to build all binaries from the original source codes and run them properly afterwards? Which is the easiest, and which is the fastest and most reliable? I'd like to know what each OS is good for. If you have "raw" samples of programs that run on a certain OS and ones that don't, I'd really appreciate it.

[Reg Edit]

A week, and no single response... oh boy... I knew this is a tough one.Is there ANY way I could implement this on Windows 2003? PHP running with non-root privilages I mean?

In the absence of any other response, in case it helps...My main experience is in the MS world. I have almost no experience of Apache or php (yet). However, since I want to start looking at the open source stuff too, I've finally (just) got round to installing WAMP on a virtual PC.This has installed a Windows Service for wampapache (Apache/2.2.6 (Win32) PHP/5.2.5).I don't know what Apache you are using (WAMP or other) but I assume it will run as a Windows Service, which by default may be configured to run under the Local System account. But you can configure it to run under a specific account which you create for this purpose. In the properties settings for a Windows Service, you can set the account under which it runs. I should have thought that the main thing you are asking for (run as non-root account) can be achieved by doing this. Now, as to what privileges you will have to grant that account, you will have to find that out for yourself! But anyway (from my tiny exposure so far) I should imagine that the php scripts will always be executed under the account the webservice is running under, i.e. you will not be able to use ad-hoc impersonation from one user session to another as you can in the .NET world.Hope this helps in a small way to progress your thinking towards (or indeed away from) your envisaged hybrid Windows-based open source solution.

[justsomeguy]

Windows is definately easier for most people to work with, but Linux might be the better choice for web hosting. We run Windows servers here, but we don't sell web space so permissions aren't an issue. But you might want to look into setting up a Linux box and installing Web Host Manager and cPanel, WHM is great for managing hosting accounts. I'm not going to pretend I know anything about distros, because I have hardly any experience with any of them and am not qualified to compare them, but Ubuntu has been gaining market share lately. As far as programs, you probably don't need a lot on a web server. Other then the web server software, database software, PHP or scripting software, and something like WHM, there's probably not a lot you need otherwise. But clearly Linux is the preferred web server setup, so this might be a good opportunity for you to familiarize yourself with everything. I would tell you not to limit yourself based on what you know, if Linux is the better choice then don't use Windows just because you already know how to use it. People ask here all the time how to do things with PHP or whatever that are clearly suited for another language, and my answer is typically to use that other language. If there's a better tool for the job, don't limit yourself just based on what you know, take it as an opportunity to learn another tool. You'll come out on the other side as a more capable, powerful person.

[boen_robot]

@Reg EditI have all of the software above installed separately. No packages. And that's what I'd like to keep using if possible.I didn't know the thing about the service. Good to know, thanks. Infact, after looking at the properties of the service, I also saw I could initiate a program on failure, which is really useful - it means I can automatically restart Apache if memory overflows and Apache starts to fail. Still, that doesn't exactly solve the thing I'm after. I need to have at least one root account (from which I'd manage the accounts), and a single account for all users to use. Ideally, have each user run scripts on their own account.@justsomeguyAgree with the learning thing. However, we're talking about a whole OS here. I don't know ANYTHING about working with Linux based OS-es. When I learn a language, I usually base it on something I already know (eg. I learned the basics of PHP only after knowing HTML first; I learned how to change Apache's configuration directives only after understanding how PHP interacts with Apache, etc.), but I can't base Linux on anything other than Windows (or DOS if the OS is to be without a GUI), and as far as I'm aware, Linux OS-es have almost nothing incommon with Windows/DOS. In addition, this means finding and learning to use another software for FTP and Mail, though I'm optimistic that this would be the easiest part.Well, if Linux is the way to go, what Linux OS should I use? I mean, what is the best? I'm not that much afraid of the learning curve, since anything Linux will be hard at first. But if I'm going to use Linux, I'd like to use the best Linux possible for the job. Ubuntu seems too user friendly to be the one (I think), but I don't have a hint as to what it might be.

[justsomeguy]

Well, most servers I've seen running Linux are using Red Hat. Most personal people I've seen using Linux use Ubuntu.The applications are the easy part though, I'm sure that Filezilla or Thunderbird for Linux will be almost identical to the Windows versions, you won't have to learn how to FTP or read mail all over again. The browser will be exactly the same also. So will using Apache, for the most part. Most of the things you'll need to do with the OS that you don't know how can be found online pretty quickly I would assume, I would look at this as an opportunity to learn how to use this stuff though.

[boen_robot]

Well... for now I decided to use Ubuntu Server Edition (didn't know they had one until I actually got to the site). As I get more comfortable, I may go to using whatever starts to seem better at that point. Whether it will be Red Hat or Debian, I don't know. I'm downloading the 7.10 image right now.Even when I get it though, I'm still puzzled - is there any way I could make PHP run as a different user, and make the username be detected dynamically (based on, say a folder name, or a file that won't require a server restart)? So far, it seems suEXEC can only change the user based on a VirtualHost setting at best. However, I'd like to use cannonical virtual hosting, so that I don't have to restart the server for every new user. For that, I'd need a directive that changes the username in the same fashion that the VirtualDocumentRoot directive changes the documentRoot on server name basis.

[justsomeguy]

That I don't know. But the answer is out there somewhere.

[aspnetguy]

Not sure if you need this but I used this guide to get my Ubuntu server running. It was pretty easy. http://www.howtoforge.com/perfect_server_ubuntu7.10.As for the original question, I couldn't even make an atempt at an answer.

[boen_robot]

The installation seems pretty staightforward, but the configuration is much more complicated, so thanks for the link. It sure is useful.For my original problem, I think I've found the solution with suPHP. It has exactly what I need - running PHP scripts with their owner. How exactly am I going to install it is another question I have yet to explore (right after I grasp how PHP on Linux works out).I guess my main question now becomes "Is there a similar thing to suPHP for Windows (2003)?". So far I've found none.

[justsomeguy]

Yeah, I haven't heard of anything like that for Windows, the user account systems that Windows and Linux use are quite different. Everything in Windows runs under the IUSR_machine account, even if you create several user accounts I believe all web processes are still handled by the one account.

[Reg Edit]

Everything in Windows runs under the IUSR_machine account, even if you create several user accounts I believe all web processes are still handled by the one account.

Yes, that's true, when you use anonymous authentication in IIS and allow everything to execute as the anonymous user (IUSR_machinename). But on the other hand, if users log on to your site, you can elect to use impersonation, whereby you can supply the credentials of the logged-on user to execute processes under that user's account.An example would be, before a webservice call, setting the credentials property of the webservice proxy. The webservice then executes using the account identified by the credentials, and its authorization to access resources such as the file system is dictated by the permissions granted to that user.However, boen_robot, if you abandon IIS for Apache, I imagine PHP scripts invoked by Apache will always execute under the account you have set Apache to run under.Probably best to go completely one way or the other--MS or open source.

[justsomeguy]

We're not talking about users logging in though, we're talking about requests to the web server for one domain running under a different account then requests to the same server for a different domain.

[Reg Edit]

We're not talking about users logging in though, we're talking about requests to the web server for one domain running under a different account then requests to the same server for a different domain.

True, but when you use impersonation, you can use any credentials you like, not necessarily those of the logged-on user. As long as you have established the means to associate a set of credentials with the current context (domain in this scenario), you can execute everything using the applicable credentials. But anyway, for boen_robot, off down the open-source road, this is probably academic.

[Reg Edit]

With your Windows hat on, however (as opposed to your Red Hat), have you considered using PHP under IIS:http://msdn.microsoft.com/msdnmag/issues/0...default.aspx#S1http://www.google.com/search?q=iis+phpThis is not something I've investigated. But I would have thought that using IIS rather than Apache may give you the ability to use impersonation when running your PHP scripts.

[boen_robot]

With your Windows hat on, however (as opposed to your Red Hat), have you considered using PHP under IIS:http://msdn.microsoft.com/msdnmag/issues/0...default.aspx#S1http://www.google.com/search?q=iis+phpThis is not something I've investigated. But I would have thought that using IIS rather than Apache may give you the ability to use impersonation when running your PHP scripts.

What really bothers me about using IIS as opposed to Apache is mod_rewrite. IIS has some good alternatives, but none are appropriate. One is paid (and I can't find a cracked version... bummer), another one can only read a single file (what good is it if none of my users can use it in an Apache like fashion?), third one can only be configured at the admin panel (even worse... I can't even create a control panel for users to use it and on top of that, it doesn't have the complete power of mod_rewrite).In addition, there are other things in IIS I'm not sure if I can do at all, and I have no idea how to enable users to adjust them. GZip compression, directory listing... just to name a few.There are really two reasons I want to use Windows.1. Simplicity. I know Windows inside out (or at least enough to easily learn what I don't know already). On it, I can already configure a very secure and feature rich FTP (including quota management), web and mail server. I was about to configure SSL onto Apache, and SSH (for SFTP's sake mostly). Being able to run PHP as a non-root user (ideally, with a different account for every user) is THE only thing stopping me from estabilishing Windows hosting.2. COM and .NET. There are tons of useful things that have COM and .NET APIs. And I don't mean MS Office APIs (though it would be nice if my users could use theese as well). True, some have JAVA alternatives (A case in mind is SAXON (well... you know me... an XSLT person)), but JAVA starts way too slow, and it would be impossible to keep the JVM opened with all APIs at all times. Not to mention I still can't install the JAVA Bridge for PHP, whereas I can use COM already (and for .NET, there's ASP.NET, until PHP has better .NET support than it has today).As far as money/open-source goes, if I can set up everything for free at first (legally or otherwise), I'm willing to pay for licences later, so that I can keep it without fear of being sued at some point. Windows 2003 is included in that calculation (yeah, I have it already and without a licence). I'm not a "C" person, so something being "open-source" doesn't really concern me.

But anyway, for boen_robot, off down the open-source road, this is probably academic.

I already fear that most. The configuration of this beast practically requires academics. I'm still trying to follow the instructions. I'm going to reinstall it actually, as I think I've messed it up (I can't log in... damn). It's a good thing I use a VM.

Everything in Windows runs under the IUSR_machine account, even if you create several user accounts I believe all web processes are still handled by the one account.

for Apache, I imagine PHP scripts invoked by Apache will always execute under the account you have set Apache to run under.

I think Reg Edit is right. Apache is not part of the OS, so it starts as the user that started it. I guess when installed as a service, that user could be adjusted, but that doesn't change the fact it uses another user. Still, the problem is there needs to be two or more users running the same Apache instance.//Offtopic (sort of)The new server I was talking about at the beginning won't be buyed soon it seems. Perhaps in the middle of this year. That's because it turned out my father wants to buy a new car with the money that was previously scheduled for network enhancements (Gigabit switches, new Wireless AP, and of course the web server). On top of that, it turns out he may not even get the car soon, as the company that was suppose to give us the full sum only gave us half of it and will give the other half in the middle of the year. My father does need a new car though (the breaks of the current one are almost broken, and that's just the least of the car's problems), so I didn't put out any fuss.

[boen_robot]

I now have not one, but two new servers, and they both have Windows Server 2008. Yupee!I decided to use IIS7 on the web server (I'd use the other one as a DB server), as unlike IIS6, IIS7 seems to be great - a completely redesigned control panel, modular structure, and (that's what leaned me into giving it a shot) a free Microsoft made rewritinging module (downloaded separately, but still...).I'm amazed as to how easy it was to create a new site, add FTP associated to it, and make PHP run with different user for each site (or "Application pool" to be more precise). Other features I mentioned like GZip compression and directory listing also seem to be available natively and I easily found them.Now onto the fun part... user creation and management... I was able to create a script that adds users, but I seem to be unable to create one for adjusting passwords.With PHP, I suppose I can execute a command for that, but what? For user creation, it was

NET USER [i][u]username[/u][/i] [i][u]password[/u][/i] /ADD

but for changing password, the command is

NET USER [i][u]username[/u][/i] [i][u]new password[/u][/i]

The problem with this that I have is that this doesn't require the old password. How can I verify if a username/password pair matches? Or better yet, is there a command that accepts the username, password and a new password at the same time?I suppose I could store usernames and password in a DB and check passwords against that, but I'd like to have just a single place for usernames and passwords (Windows itself), rather than two ones.(I'd also have to look for how to adjust IIS application pool settings from PHP, whether it's a COM, .NET, Command line way... and I'd rather stay away from ASP.NET)

[justsomeguy]

Look into Active Directory or LDAP (AD is Microsoft's implementation of LDAP). I'm not sure where it saves the users that it creates using net, but I bet it saves them in an AD structure. If so, you can query the directory to check a username and password. I've got some ASP classic code that does that if you want to take a look at it.Here's my main authentication function, in all it's VB glory. You'll have to do a little research on AD to figure out what a domain and container is, and it looks like the PHP LDAP functions include things like ldap_connect, I think to lookup someone in the AD you might use ldap_search.

Function authenticate_ldap_user(username, password, domainName, containerName)  On Error Resume Next  If Not containerName = "" Then	containerName = containerName & ","  End If  If username = "" Or password = "" Then	Err.Number = &H81000000  Else	Set ldapObject = GetObject("LDAP:")	Set authObject = ldapObject.OpenDSObject("LDAP://" & domainName, "CN=" & username & "," & containerName & domainName, password, 1) '1 at end for secure auth.	'success is determined below by the error number (if any)	Set ldapObject = Nothing	Set authObject = Nothing  End If  If Err.Number <> 0 Then	authenticate_ldap_user = False  Else	authenticate_ldap_user = True  End IfEnd Function

[boen_robot]

Interesting, but... I was able to solve this issue already, an hour before your post. The moment I implemented it though, I had to go out and didn't got onto a computer until now (long story short - bad weather).I made the control panel protected by HTTP authentication. The users authenticated are the ones that would change their passwords. Since PHP can read HTTP authentication details, and it won't get executed unless they're alright, I unconditionally get the username from that, and use the new password if it passes my sanity check (i.e. if it can be written on the command line) and if the two fields for a new password are the same.I plan to add other stuff for users to do on that page (say, change the domain name associated with their hosting account?), and being able to authenticate in the same fashion sounds great.I'd be looking around to see how to adjust IIS settings now, speaking of which, where is the main IIS configuration file (ala "httpd.conf")? If I edit it with PHP, will it apply the settings immediatly? If not, how can I adjust IIS settings without requiring a restart (as with the IIS control panel). "Connect" to the IIS manager? How?

[justsomeguy]

Do a search for metabase.xml. There's a checkbox in the IIS manager to allow edits to the metabase file while IIS is running.

[boen_robot]

Do a search for metabase.xml. There's a checkbox in the IIS manager to allow edits to the metabase file while IIS is running.

OK. I'm now more confused than I was before...I recalled another conversation I had in another forum a while ago where they mentioned applicationHost.config, I searched for that and found a few files in "C:\inetpub\history\CFGHISTORY_##########\" where "#" is a number (different for every folder). They appear to have what I want, but since they're in "History", I suppose they're not the original one. Same goes for "administration.config" found in the same folders.A search for metabase.xml gave no results. Yesterday, a few metabase_########.xml files appeared, though oddly enough, today they don't for some reason.Where is the checkbox in IIS you're reffering to? If you haven't used IIS7 yet, could you at least say where it is in IIS6 (I'll see if it's still there in IIS7)?

[justsomeguy]

This is for IIS6 under Windows Server 2003. I have a metabase.xml file in %WIN%\system32\inetsrv\. The metabase file contains most of the global IIS settings. For the checkbox, I right-click on the server node in IIS (the local server), and hit Properties, and there's a checkbox on the first (only) property page to Enable Direct Metabase Edit.I'm frankly not sure if that means changes take effect immediately, or just if it lets you edit the file without IIS crashing.

[boen_robot]

Well, I didn't found metabase.xml. However, the same location has a config folder in which I found the original applicationHost.config and administration.config files. Those however appear to be non-editable. Thanks anyway. At least now I see what's going on really.The checkbox you mention is non existent in IIS7, but is replaced with something I believe is even better - shared configuration. You can specify a configuration file for IIS7 to use, and this file could (in theory) be shared across multiple IIS servers. In practice, I'd edit that file with PHP, and this one server will monitor that file, updating its configuration as needed. There's also "export configuration" option to actually use the current configuration as a shared one.I think this is even better than the IIS6 approach of direct edit because it also solves another issue I had in mind - backing up the configuration. With Apache, I just include my configuration file from httpd.conf, and was hoping IIS7 would have something similar. It appears it has an even better option.BTW, it's really hard to admit it, but the RewriteModule is better than mod_rewrite - easier, and it even appears to have slightly more features (just when I thought there's nothing mod_rewrite could add) like Wilrdcard matching instead of regex matching, a few more server variables and a GUI.