My openlitespeed virtual host external app does not run as required user

[Majorlabel]

I'm trying to setup OpenLiteSpeed, and I want PHP to run as a certain user and a certain group in a certain virtual host. I've turned the entire knowledge base upside down, especially this section obviously.
But, whatever I do, the PHP socket that is created is owned by the default nobody and nogroup, and the documentroot is unreachable (403) as long as it's owned by a user/group combination where nobody is not in the group.
So far, I've:

• Set the External App Set UID Mode to DocRoot UID (as per documentation)
• Set the user and group explicitly in suEXEC User and suEXEC Group in the Basic -> Security section of the Virtualhost
• Created a dedicated External handler for the Virtual host, where I also set the desired user/group combo
• Even set the desired user/group combo in the External App handler on the server level.

But nothing changes the default nobody/nogroup behavior.

 

[Majorlabel]

OK, so I found out that openlitespeed actually did the external app as the user, but the document root of the virtualhost needs to be assigned to the group that the server runs as (in my case 'nogroup'), or the user 'nobody' needs to be added to the group that owns the documentroot. Why is that? If I don't do that, I get a 403.

 

[Cold-Egg]

What's your document root's permission? e.g. 755, 750?

 

[Majorlabel]

I tried multiple, all with no avail (at one point I even tried 777 if I remember correctly). It seems the external app does switch to the designated user to execute the script, but the documentroot still needs some kind of ownership by the group that the server runs as. Is this expected behavior?

 

[Cold-Egg]

OpenLiteSpeed process runs as nobody(in nogroup group) user, so we usually set 750 to the document root folder and owned by the [virtual host user]:[nogroup], so the web server has permission to access it.

 

[Majorlabel]

Well initially I assumed that setting the UID mode of the virtualhost to 2 would make as least the external apps run as the document root owner (which it does), or that setting the suExec user/group would (and that also does), or that setting the user/group of the external app would (and it also does). In this case, my external app is always PHP.

But, I created an index.php file in my document root, both the document root and the index.php file were owned by user:user. so my assumption was the index.php would be readable and executeable (was permission 777 at one point, but works with 644 as long as the nogroup owns the documentroot). Still, I need to set nogroup as the documentroot group, or add the nobody user to the group owning the documentroot.

To me, this seems counterintuïtive, but maybe I just don't understand the intention of the software. So basically what I want to know is: is this the 'Right Way TM' to do it? Or am I missing something?

 

[risharde]

Hey thanks for pointing this out, I was wondering the same thing and had a lot of issues with this and not to be mellowdramatic but wouldn't this mean that if you set your permissions to include nogroup that this might cause another vhost to be able to read another vhost directory which would be a security issue on a shared server / a multi site server?