ServerUserID webserver conf directive does not work

General discussion on Zend Server for IBM System i
jbissone
Posts: 13
Joined: Fri May 14, 2010 7:09 pm

ServerUserID webserver conf directive does not work

Post by jbissone » Fri May 14, 2010 7:14 pm

I have set the ServerUserID directive in the webserver conf to try to have the web server run under a specific user profile on the i5. I do not get any errors on startup, but the sevrer still runs under profile QTMHHTTP (the default). It is reading the directive because if I use a user profile that does not exist, I do get an error on startup.

Has anyone successfully used the ServerUserID directive?

erich_hieden
Posts: 393
Joined: Tue Jul 07, 2009 9:01 am

Re: ServerUserID webserver conf directive does not work

Post by erich_hieden » Mon May 17, 2010 7:51 am

I can confirm that the jobs still run with user QTMHHTTP, but if I understand the help in the IBM HTTP Admin correctly, the job switches the user to the one provided in ServerUserID. So have you tried accessing files through the webserver, which are only accessible for the new user and not for QTMHHTTP?

jbissone
Posts: 13
Joined: Fri May 14, 2010 7:09 pm

Re: ServerUserID webserver conf directive does not work

Post by jbissone » Mon May 17, 2010 5:59 pm

Yes, files created from PHP scripts are onwed by user QTMHHTTP, not the ServerUserID user. I also can not access files if QTMHHTTP (or *PUBLIC) does not have authority to the file, even though the ServerUserID user has all authority.

aseiden
Posts: 875
Joined: Thu Apr 09, 2009 5:45 pm

Re: ServerUserID webserver conf directive does not work

Post by aseiden » Mon May 24, 2010 3:01 am

Great question. I think I know why Apache's ServerUserID directive doesn't work for PHP.

PHP is executed by FastCGI, not Apache. Apache passes control to FastCGI. Therefore, perhaps the user profile needs to be set in fastcgi.conf or another FastCGI configuration area. Does anyone have information on where FastCGI's user profile is set?

Alan

andrewbytes
Posts: 4
Joined: Tue Feb 02, 2010 10:50 pm

Re: ServerUserID webserver conf directive does not work

Post by andrewbytes » Mon May 24, 2010 7:56 am

Well - what is the security exposure to QTMHHTTP owning or NOW having CGI level access to everything - since before QTMHHTTP was an HTTP or web server "VIEW" profile, he (or she!) was DISPLAYING to the web. QTMHHTP1 was the INTERNAL CGI guy. Changing the role of QTMHHTTP will expose me? Any ideas? What will happen on my "traditional" (ie LEGACY) sites?

jbissone
Posts: 13
Joined: Fri May 14, 2010 7:09 pm

Re: ServerUserID webserver conf directive does not work

Post by jbissone » Mon May 24, 2010 1:36 pm

I see where you are going with FastCGI. But I can not access plain http files unless QTMHHTTP has authority to the file. I wonder if this is an IBM problem.

aseiden
Posts: 875
Joined: Thu Apr 09, 2009 5:45 pm

Re: ServerUserID webserver conf directive does not work

Post by aseiden » Mon May 24, 2010 4:56 pm

jbissone,

Let's continue to research this.

Do you have the same problem if QTMHHTTP isn't the file's owner? What if the user profile specified by ServerUserId were the owner?

Alan

andrewbytes
Posts: 4
Joined: Tue Feb 02, 2010 10:50 pm

Re: ServerUserID webserver conf directive does not work

Post by andrewbytes » Mon May 24, 2010 5:12 pm

I'm not sure - in ZendCore - there was NOBODY the CGI user, and now we're in ZendServer - the owner changed to QTMHHTTP. I am a Net.Data environment - where I will be in a mixed mode until converted to PHP - however - until that point, ALL my objects are owned by QTMHHTP1, and READ Access is QTMHHTTP - the guy that produces the web for the world. If QTMHHTTP now has authority to modify objects, what will that do for my web site and who will now be able to upload their own files - i know QTMHHTTP doesn't have the ability to sign on - at least I don't THINK he can... but hey - I need to know if I'm vulnerable or not.

aseiden
Posts: 875
Joined: Thu Apr 09, 2009 5:45 pm

Re: ServerUserID webserver conf directive does not work

Post by aseiden » Mon May 24, 2010 5:19 pm

Andrew, for your issue, I'd suggest that we figure out how to set QTMHHTP1 as the FastCGI user, which runs PHP. I haven't researched this yet. IBM created FastCGI on the "i" so it's probably a question for IBM. Let's continue to update this thread with whatever we learn.

Alan

andrewbytes
Posts: 4
Joined: Tue Feb 02, 2010 10:50 pm

Re: ServerUserID webserver conf directive does not work

Post by andrewbytes » Mon May 24, 2010 6:18 pm

Yeah - I agree. I was looking at ownerships of the objects in ZENDSVR to see if there's maybe adoption going on (you know - adopting authority) but thats not the case - all the objects are owned by ZENDADMIN (or someone like that) so clue isn't there. I'll need to decompile the code, and try looking that way (har dee har har har...) or open a ticket with zend - which is probably in my VERY near future...

Post Reply