Fix phpMyAdmin SSO ticket group ownership under SuExec (webapps)
Live testing on a real DirectAdmin/CustomBuild server showed the Apache alias fix alone wasn't enough: the default vhost serving /var/www/html uses `SuexecUserGroup webapps webapps`, so PHP for the private phpMyAdmin copy actually executes as user/group "webapps" - not as Apache's own httpd.conf "Group" (typically "apache"), which is what detect_apache_group() was reading. SSO ticket files ended up owned root:apache with mode 0640, unreadable by the webapps-executing da_login.php, producing "The phpMyAdmin login ticket is not available or has already been used." even though the ticket really was written. detect_apache_group() now checks the default vhost's SuexecUserGroup directive first (the actual PHP-execution identity under SuExec), and only falls back to the plain Apache Group directive when no SuexecUserGroup is configured. Bump version to 1.2.13 and rebuild the release archive.
This commit is contained in:
@@ -14,6 +14,8 @@ CONFIG_INC="${PHPMYADMIN_PRIVATE_DIR}/config.inc.php"
|
||||
SIGNON_SCRIPT="${PHPMYADMIN_PRIVATE_DIR}/da_signon.php"
|
||||
SIGNON_URL_PAGE="${PHPMYADMIN_PRIVATE_DIR}/da_login.php"
|
||||
BLOWFISH_SECRET_FILE="${RUNTIME_DIR}/blowfish_secret"
|
||||
APACHE_HTTPD_CONF="${APACHE_HTTPD_CONF:-/etc/httpd/conf/httpd.conf}"
|
||||
APACHE_VHOSTS_CONF="${APACHE_VHOSTS_CONF:-/etc/httpd/conf/extra/httpd-vhosts.conf}"
|
||||
CUSTOMBUILD_DIR="${CUSTOMBUILD_DIR:-/usr/local/directadmin/custombuild}"
|
||||
CB_BUILD="${CUSTOMBUILD_DIR}/build"
|
||||
APACHE_ALIAS_CUSTOM="${CUSTOMBUILD_DIR}/custom/ap2/conf/extra/httpd-alias.conf"
|
||||
@@ -57,8 +59,18 @@ chmod_or_warn() {
|
||||
detect_apache_group() {
|
||||
local group_name=""
|
||||
|
||||
if [ -f /etc/httpd/conf/httpd.conf ]; then
|
||||
group_name="$(awk 'tolower($1)=="group" {print $2; exit}' /etc/httpd/conf/httpd.conf | tr -d '[:space:]')"
|
||||
# Under SuExec (DirectAdmin's own convention for the default/shared
|
||||
# vhost that serves /var/www/html), PHP actually executes as the
|
||||
# SuexecUserGroup account (commonly "webapps"), not as Apache's own
|
||||
# httpd.conf "Group" (commonly "apache"). That distinction is exactly
|
||||
# what determines whether phpMyAdmin's SSO ticket files are readable,
|
||||
# so it takes priority over the plain Group directive below.
|
||||
if [ -f "$APACHE_VHOSTS_CONF" ]; then
|
||||
group_name="$(awk 'tolower($1)=="suexecusergroup" {print $3; exit}' "$APACHE_VHOSTS_CONF" | tr -d '[:space:]')"
|
||||
fi
|
||||
|
||||
if [ -z "$group_name" ] && [ -f "$APACHE_HTTPD_CONF" ]; then
|
||||
group_name="$(awk 'tolower($1)=="group" {print $2; exit}' "$APACHE_HTTPD_CONF" | tr -d '[:space:]')"
|
||||
fi
|
||||
|
||||
if [ -z "$group_name" ] && [ -f /etc/apache2/apache2.conf ]; then
|
||||
|
||||
Reference in New Issue
Block a user