Jump to content
View in the app

A better way to browse. Learn more.
Froxlor Forum

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

php-cgi-scripts permissions problem

  •
llucps
in General Discussion

Featured Replies

HI there,

After upgrading from Bookworm to Trixie I noticed Internal Server Errors when checking some of the websites. Looking at the logs I found out suexec was complaining about violation

[2025-12-08 14:52:40]: directory is writable by others: (/var/www/php-fcgi-scripts/xxxx/xxxx.org)

I checked the permissions of the /var/www/php-cgi-scripts with the following outcome 

total 16
drwxr-xr-x 4 root root 4096 Dec  8 14:51 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxrwxr-x 3 root root 4096 Dec  8 14:51 froxlor.panel
drwxrwxr-x 5 root root 4096 Dec  8 14:51 xxxx

I manually changed the permissions to 755 and the websites worked again

total 16
drwxr-xr-x 4 root root 4096 Dec  8 15:46 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxr-xr-x 3 root root 4096 Dec  8 15:46 froxlor.panel
drwxr-xr-x 5 root root 4096 Dec  8 15:46 xxxx

Then I realized that the froxlor tasks overwrites those permissions of all the directories inside php-cgi-scripts directory with 

drwxrwxr-x

Am I doing something wrong? this wasnt' a problem with bookworm. I'm using https://docs.froxlor.org/latest/admin-guide/configuration/fcgid/, well I've been using fast.cgi since when I first installed Froxlor 12 years ago.

Any ideas? Do you need some other logs or info from my system to help debug this?

Thank you,

Lluc

Maybe there were changes for mod_fcgid in trixie we're not aware of. Would need to check. FCGID is also not really "state-of-the-art", my suggestion would be switching over to php-fpm if possible

  • Author

I'm trying to debug a bit more and it happens when launching the cron tasks

php /var/www/html/froxlor/bin/froxlor-cli froxlor:cron -d -r 1
Checking froxlor file permissions...OK
Running "tasks" job (debug)
[information] TasksCron: Searching for tasks to do
[information] Running Let's Encrypt cronjob prior to regenerating webserver config files
[information] Checking for LetsEncrypt client upgrades before renewing certificates:_[Mon Dec  8 05:36:42 PM CET 2025] Already up to date!_[Mon Dec  8 05:36:42 PM CET 2025] Upgrade successful!_[Mon Dec  8 05:36:43 PM CET 2025] Installing cron job_3 0 _ _ _ "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" 2__1_[Mon Dec  8 05:36:43 PM CET 2025] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
[information] No new certificates or certificate updates found
[information] apache::createIpPort: creating ip/port settings for  xxx.xxx.xxx.xxx:80
[debug] xxx.xxx.xxx.xxx:80 :: inserted vhostcontainer
[information] apache::createIpPort: creating ip/port settings for  xxx.xxx.xxx.xxx:443
[debug] xxx.xxx.xxx.xxx:443 :: inserted vhostcontainer
[information] apache::createVirtualHosts: creating vhost container for domain 15, customer xxxx
[information] apache::createVirtualHosts: creating vhost container for domain 8, customer xxxx
[information] apache::createVirtualHosts: creating vhost container for domain 7, customer xxxx
[information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/
[information] apache::writeConfigs: rebuilding /etc/apache2/htpasswd/
[information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/
[information] Froxlor\Cron\Http\ApacheFcgi::reload: reloading Froxlor\Cron\Http\ApacheFcgi
[notice] Creating passwd file
[notice] Writing 8 entries to passwd file
[notice] Succesfully wrote passwd file
[notice] Creating group file
[notice] Writing 1 entries to group file
[notice] Succesfully wrote group file
[notice] Creating shadow file
[notice] Writing 8 entries to shadow file
[notice] Succesfully wrote shadow file
[notice] Checking system's last guid
[notice] Checking system's OS version

after this the permissions change to:

drwxrwxr-x

what folder exactly? The configured path? The customer-folder within? the domain-folder within that one? Currently cant find anything that would re-create existing folders yet alone change permissions

  • Author

Sorry about that.

The folder is 

/var/www/php-cgi-scripts/

Yes it seems strange but when Froxlor runs the cron task with

php /var/www/html/froxlor/bin/froxlor-cli froxlor:cron -d -r 1

It changes ht permissions indside the /var/www/php-cgi-scripts/ folder from:

total 16
drwxr-xr-x 4 root root 4096 Dec  8 14:51 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxrwxr-x 3 root root 4096 Dec  8 14:51 froxlor.panel
drwxrwxr-x 5 root root 4096 Dec  8 14:51 xxxx

to

total 16
drwxr-xr-x 4 root root 4096 Dec  8 15:46 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxr-xr-x 3 root root 4096 Dec  8 15:46 froxlor.panel
drwxr-xr-x 5 root root 4096 Dec  8 15:46 xxxx

FYI the /var/www/php-cgi-scripts/ permissions are:

drwxr-xr-x  4 root         root         4096 Dec  8 17:36 php-fcgi-scripts

I can't see where Froxlor is doing that,, for the moment I just created a cronjob chaning those permissions every 1 minute, but obvisouly is not ideal

Thanks

it changed the permission from 775 to 755? And in your initial post you said the opposite...which is it now?

  • Author

sorry.. my mistake.

It changes the permissions to 775, so when the cron runs

php /var/www/html/froxlor/bin/froxlor-cli froxlor:cron -d -r 1

the result is

total 16
drwxr-xr-x 4 root root 4096 Dec  8 14:51 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxrwxr-x 3 root root 4096 Dec  8 14:51 froxlor.panel
drwxrwxr-x 5 root root 4096 Dec  8 14:51 xxxx

again makes no sense, you are showing 775 after cronjob but you said you set it to 775 manually and it changes it back to 755 (which would be the correct permissions), please be more specific, can't really help that way

  • Author

Sorry for the mess..

As you said the correct permissions are 755.

Every time the cron job runs it changes the permissions to 775, which is wrong, the suexec complains and I get internal server errors trying to go to any of the websites hosted on the server.

When that happens if I manually change the permissions of all directories inside /var/www/php-fcgi-scripts/ to 755 it works again, suexec is happy and websites work just fine.

So the problem is the cron job php /var/www/html/froxlor/bin/froxlor-cli froxlor:cron -d -r 1  changing the permissions of the directories inside /var/www/php-fcgi-scripts/ to 775 like this:

total 16
drwxr-xr-x 4 root root 4096 Dec  8 14:51 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxrwxr-x 3 root root 4096 Dec  8 14:51 froxlor.panel
drwxrwxr-x 5 root root 4096 Dec  8 14:51 xxxx

and I don't know why  

sounds like issues with your umask, we do not explicitly chmod to 0775 - we simply create the folders.

You may want to check whether the following changes fix the issues:

diff --git a/lib/Froxlor/Cron/Http/Php/Fcgid.php b/lib/Froxlor/Cron/Http/Php/Fcgid.php
index 3fca0f05..6bf76347 100644
--- a/lib/Froxlor/Cron/Http/Php/Fcgid.php
+++ b/lib/Froxlor/Cron/Http/Php/Fcgid.php
@@ -129,6 +129,8 @@ class Fcgid
 
                if (!is_dir($configdir) && $createifnotexists) {
                        FileDir::safe_exec('mkdir -p ' . escapeshellarg($configdir));
+                       FileDir::safe_exec('chmod 0750 ' . escapeshellarg(dirname($configdir)));
+                       FileDir::safe_exec('chmod 0750 ' . escapeshellarg($configdir));
                        FileDir::safe_exec('chown ' . $this->domain['guid'] . ':' . $this->domain['guid'] . ' ' . escapeshellarg($configdir));
                }
  • Author

I had to change the chmod to 0755 you had 0750, otherwise I was still getting Internal Server Errors, I guess that was mistake?

But other than that, yes that seems to fix the problem.

Will you apply that patch for the next Froxlor update?

Thanks!

Can you please provide detailed error message(s), other-readable should in almost no cases be required....

  • Author

So, putting back your original 0750 permissions, I see the suexec does not complain but still getting Internal Server Error. I'm getting this from apache logs:

[Tue Dec 09 14:36:55.663475 2025] [fcgid:warn] [pid 70913:tid 70913] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:40798] mod_fcgid: error reading data from FastCGI server
[Tue Dec 09 14:36:55.663591 2025] [core:error] [pid 70913:tid 70913] [client xxx.xxx.xxx.xxx:40798] End of script output before headers: index.php

This is the only error I could find. Do you need data from PHPinfo() ?

I'm trying to think other logs that I could look at..

that message does not help sorry, thought you said you were getting messages about wrong permissions....?!

  • Author

To recap.. these are all the cases and errors I was able to find:

If I remove your patch and run the cron job I get the following to errors

/var/log/apache2/suexec.log
[2025-12-09 14:53:52]: uid: (10004/xxxxx) gid: (10004/xxxxx) cmd: php-fcgi-starter
[2025-12-09 14:53:52]: directory is writable by others: (/var/www/php-fcgi-scripts/xxxx/xxxxx.org)
/var/customers/logs/xxx-error.log
[Tue Dec 09 14:36:55.663475 2025] [fcgid:warn] [pid 70913:tid 70913] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:40798] mod_fcgid: error reading data from FastCGI server
[Tue Dec 09 14:36:55.663591 2025] [core:error] [pid 70913:tid 70913] [client xxx.xxx.xxx.xxx:40798] End of script output before headers: index.php

The result is permissions and Internal Server Error

/var/www/php-fcgi-scripts/
total 16
drwxr-xr-x 4 root root 4096 Dec  8 14:51 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxrwxr-x 3 root root 4096 Dec  8 14:51 froxlor.panel
drwxrwxr-x 5 root root 4096 Dec  8 14:51 xxxx

If I apply your patch I get only the error on apache logs

/var/customers/logs/xxx-error.log
[Tue Dec 09 14:36:55.663475 2025] [fcgid:warn] [pid 70913:tid 70913] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:40798] mod_fcgid: error reading data from FastCGI server
[Tue Dec 09 14:36:55.663591 2025] [core:error] [pid 70913:tid 70913] [client xxx.xxx.xxx.xxx:40798] End of script output before headers: index.php

No errors on /var/log/apache2/suexec.log

And the same permissions

/var/www/php-fcgi-scripts/
total 16
drwxr-xr-x 4 root root 4096 Dec  8 14:51 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxrwxr-x 3 root root 4096 Dec  8 14:51 froxlor.panel
drwxrwxr-x 5 root root 4096 Dec  8 14:51 xxxx

So, for the moment the only trick is to use 755 on your patch.

I don't know where else to look

the message said the domain-folder is readable by others, not the customer-folders, so please check one directory deeper within /var/www/php-fcgi-scripts/xxxx/ for example.

Also maybe check if a simple test.php with <?php phpinfo(); ?> can be called directly via browser from the domains documentroot. I've not used fcgid for years, alsmost noone does

  • Author

Launching the cron job without your patch I'm getting the same permission on domain and customer level:

/var/www/php-fcgi-scripts # ls -la
total 16
drwxr-xr-x 4 root root 4096 Dec  9 15:17 .
drwxr-xr-x 8 root root 4096 Dec 27  2023 ..
drwxrwxr-x 3 root root 4096 Dec  9 15:17 froxlor.panel
/var/www/php-fcgi-scripts/froxlor.panel # ls -la
total 12
drwxrwxr-x 3 root         root         4096 Dec  9 15:17 .
drwxr-xr-x 4 root         root         4096 Dec  9 15:17 ..
drwxrwxr-x 2 froxlorlocal froxlorlocal 4096 Dec  9 15:17 xxxxxx.xxx

The inside xxxxx.xxx the domain I get different permissions:

/var/www/php-fcgi-scripts/froxlor.panel/xxxxxx.xxx # ls -la
total 16
drwxrwxr-x 2 froxlorlocal froxlorlocal 4096 Dec  9 15:17 .
drwxrwxr-x 3 root         root         4096 Dec  9 15:17 ..
-rwxr-x--- 1 froxlorlocal froxlorlocal  507 Dec  9 15:17 php-fcgi-starter
-rw-r--r-- 1 root         root         2068 Dec  9 15:17 php.ini

I created the test.php inside /var/www/html/ and Internal Server Error there too when running the cron job without your patch

...and with the patch? maybe better join discord so we can talk and check a bit faster....

  • Author

I there is no solution, I'll try to look into the php-fpm.. just nervous about a migration that's all.

It's really strange since the fcgi package apparently has not changed on Trixie, and I have another server running Bookworm and Froxlor 2.3.0, after launching the cron job I get the same permissions and no Internal Server Error and no errors on suexec, it all works fine.

/var/www/php-fcgi-scripts # ls -la
total 20
drwxr-xr-x  5 root root 4096 Dec  9 15:26 .
drwxr-xr-x 10 root root 4096 Oct 30 15:38 ..
drwxr-xr-x 22 root root 4096 Dec  9 15:26 development
drwxr-xr-x  3 root root 4096 Dec  9 15:26 froxlor.panel

I'll join discord, let me try with your patch and get back to you.

Thanks.

sounds like you should check what is different between server a (error) and server b (no error) - there was little to no changes in fcgid for years...dont really know where this would come from now

  • Author
7 minutes ago, d00p said:

...and with the patch? maybe better join discord so we can talk and check a bit faster....

with you patch and test.php with <?php phpinfo(); ?> same result, Internal Server Error

  • Author
1 minute ago, d00p said:

sounds like you should check what is different between server a (error) and server b (no error) - there was little to no changes in fcgid for years...dont really know where this would come from now

Yes I'll try to look into this.. just a bit lost where to look.

Or we'll just switch over to the way more modern php-fpm, takes 5 minutes, no issues

Create an account or sign in to comment
Go to topic listing

Account

Navigation

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.