# suexec with fast cgi failing after upgrade



## David Okwii (Oct 24, 2016)

Hello About two weeks ago, I upgraded by box that hosts several sites from FreeBSD 9.x to 10.x. The server was configured with suexec in-order to ensure that php scripts run as certain users, not as www. 

However, after the upgrade, suexec is broken. All sites now run as apache user www instead of their respective users. I maintained apache22 and php55. The sites load, but I've permission issues whenever website owner tries to upload content. 

I've done everything I can, read all the tutorials, but still my suexec is failing to work when I test php script. What could I be doing wrong? Kindly double check my configurations below. Thanks 

```
//Apache22
# httpd -v
Server version: Apache/2.2.21 (FreeBSD
```
//loaded modules shows fscgi and suexec are loaded.

```
# apachectl -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 authn_file_module (shared)
 authn_dbm_module (shared)
 authn_anon_module (shared)
 authn_default_module (shared)
 authn_alias_module (shared)
 authz_host_module (shared)
 authz_groupfile_module (shared)
 authz_user_module (shared)
 authz_dbm_module (shared)
 authz_owner_module (shared)
 authz_default_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 file_cache_module (shared)
 cache_module (shared)
 disk_cache_module (shared)
 dumpio_module (shared)
 reqtimeout_module (shared)
 filter_module (shared)
 charset_lite_module (shared)
 deflate_module (shared)
 log_config_module (shared)
 logio_module (shared)
 env_module (shared)
 mime_magic_module (shared)
 cern_meta_module (shared)
 expires_module (shared)
 headers_module (shared)
 usertrack_module (shared)
 unique_id_module (shared)
 setenvif_module (shared)
 version_module (shared)
 ssl_module (shared)
 mime_module (shared)
 dav_module (shared)
 asis_module (shared)
 suexec_module (shared)
 vhost_alias_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 imagemap_module (shared)
 actions_module (shared)
 speling_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 fcgid_module (shared)
 wsgi_module (shared)
 php5_module (shared)
 mono_module (shared)
Syntax OK
```
//additional info on modules 

```
# pkg which /usr/local/libexec/apache22/mod_cgi.so
/usr/local/libexec/apache22/mod_cgi.so was installed by package apache22-2.2.31_1
# pkg which /usr/local/libexec/apache22/mod_suexec.so 
/usr/local/libexec/apache22/mod_suexec.so was installed by package apache22-2.2.31_1
# pkg which /usr/local/libexec/apache22/mod_fcgid.so  
/usr/local/libexec/apache22/mod_fcgid.so was installed by package ap22-mod_fcgid-2.3.9
```
//php -v 

```
PHP 5.5.38 (cli) (built: Oct 19 2016 03:36:31) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

//php55
make showconfig
===> The following configuration options are available for php55-5.5.38_2:
     CLI=on: Build CLI version
     CGI=on: Build CGI version
     FPM=on: Build FPM version
     EMBED=off: Build embedded library
     DEBUG=off: Enable debug
     DTRACE=off: Enable DTrace support
     IPV6=on: Enable ipv6 support
     MAILHEAD=off: Enable mail header patch
     LINKTHR=on: Link thread lib (for threaded extensions)
     ZTS=off: Force Zend Thread Safety (ZTS) build
===> Use 'make config' to modify these settings

//suexec 
/usr/local/sbin/suexec -V
 -D AP_DOC_ROOT="/usr/virtual/"
 -D AP_GID_MIN=5
 -D AP_HTTPD_USER="www"
 -D AP_LOG_EXEC="/var/log/httpd-suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=5
 -D AP_USERDIR_SUFFIX="public_html"
```
//sample virtual host file 

```
<VirtualHost XXX.XXX.XXX.XXX:80>
        ServerName example.com
        ServerAlias [URL="http://www.example.com"]www.example.com[/URL]
        DocumentRoot /usr/virtual/example.com/public_html


        SuexecUserGroup  adm258  adm2130


        ErrorLog /var/log/apache22/example.com_error.log
        CustomLog /var/log/apache22/example.com_access.log combined
        <Directory /usr/virtual/example.com/public_html>
                AddHandler fcgid-script .php
                FCGIWrapper /usr/virtual/example.com/public_html/cgi-bin/php.cgi
                Allow from all
                AllowOverride All
                Order allow,deny
        </Directory>
        Alias /awstatsclasses /usr/virtual/example.com/public_cgi/awstats/classes/
        Alias /awstatscss /usr/virtual/example.com/public_cgi/awstats/css/
        Alias /awstatsicons /usr/virtual/example.com/public_cgi/awstats/icons/
        ScriptAlias /awstats/ /usr/virtual/example.com/public_cgi/awstats/cgi-bin/
        <Directory /usr/virtual/example.com/public_cgi/awstats/>
                Options None
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
```
//php.cgi 

```
#!/bin/sh
# Shell Script To Run PHP5 using mod_fastcgi under Apache 2.x
### Set PATH ###
PHP_CGI=/usr/local/php5/bin/php-cgi
#PHP_CGI=/usr/local/bin/php-cgi
PHP_FCGI_CHILDREN=0
PHP_FCGI_MAX_REQUESTS=10000

### no editing below ###
export PHP_FCGI_CHILDREN
export PHP_FCGI_MAX_REQUESTS
exec $PHP_CGI
```


----------



## SirDice (Oct 24, 2016)

Did you rebuild/reinstall _all_ ports/packages after the upgrade?


----------



## David Okwii (Oct 24, 2016)

I didn't rebuild everything. After rebuilding the kernel, I removed old libraries using make delete && make delete-old-libs. I rebuilt only some critical ports such as apache, mysql, php. Is there a specific command that I can use to rebuild all the ports/packages?


----------



## SirDice (Oct 24, 2016)

After any major version upgrade you _must_ rebuild/reinstall _all_ ports/packages. There are no short-cuts here.

Handbook: 23.2.3.2. Upgrading Packages After a Major Version Upgrade


----------



## David Okwii (Oct 24, 2016)

SirDice how do I know which ports/packages are installed so I can re-install them?


----------



## SirDice (Oct 24, 2016)

Just follow the procedure from the handbook.


----------

