PHP suexec (binfmt)
Josh
bsd at kajs.co.nz
Thu Jun 28 05:52:02 UTC 2007
I wrote a mini howto thing on this a while ago
install apache 2.0, with suexec enabled.
Put these lines into /etc/make.conf:
SUEXEC_UIDMIN=500 - the lowest UID of your vhost
users. Normally 1000.
SUEXEC_GIDMIN=500 - the lowest GID of your vhost
users. Normally 1000.
SUEXEC_DOCROOT="/home/sites" - where the vhost directorys are.
Note the UIDMIN and GIDMIN. These can probably be omitted. I only put
them in there because I transferred some users from a linux system, on
which the UID's and GID's start at 500.
Now install apache:
cd /usr/ports/www/apache20
make install
echo "Hello"
In freebsd;
cd /usr/ports/lang/php5
make config
In the config set these options:
CLI - for php on command line.
CGI - For cgi use of php
SUHOSIN - Security enhancments for php
MAILHEAD - A gizmo.
REDIRECT
DISCARD
FASTCGI - Needed to use fastcgi or fcgid modules
PATHINO
Then run:
make install
Now install mod_fcgid:
cd /usr/ports/www/mod_fcgid
make install
( accept default options )
Now, in httpd.conf, make sure you have some lines like this in the
module section:
LoadModule suexec_module libexec/apache2/mod_suexec.so
LoadModule fcgid_module libexec/apache2/mod_fcgid.so
And then somewhere else in the httpd.conf, put this:
AddHandler php-script .php
Action php-script /cgi-bin/php
<Location /cgi-bin/>
# this is to handle php-cgi with mod_fcgid
SetHandler fcgid-script
# this is to handle php-cgi with mod_fastcgi
#SetHandler fastcgi-script
</Location>
Ok, now, in each <VirtualHost> entry that you want to run php, you need
to put this:
ScriptAlias /cgi-bin/ /path/to/vhost/users/home/dir/cgi-bin/
And in that users cgi-bin, you put this into a file called php:
#!/bin/sh
#PHPRC="/usr/local/etc/php/client" # can use this to set custom
php.ini
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
exec /usr/local/bin/php-cgi
And make the script executable, and owned by the virtual hosts user and
group.
You should use chflags to make it so that users cant mince around with
anything in the cgi-dir, or alternatively modify suexec.c to take the
check of the uid/gid of the cgi-bin dir and then you can make it owned
by root:wheel.
And, in theory, that should be it.
Start up apache and it should work.
After that you should consider making a php.ini for each and every
vhost, in which you set open_basedir and other gizmos to tighten things up.
This is only a quick 5 minute writeup, so it is more than likely I have
missed something.
Paulo Fragoso wrote:
> Hi,
>
> Are there any solution like linux binfmt
> (http://pookey.co.uk/wiki/php/security) for FreeBSD?
>
> We are migrating a multi-home PHP server running mod_php to new server
> without mod_php. We won't like to change all .php files to put
> #!/usr/local/bin/php
>
> Paulo Fragoso.
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
More information about the freebsd-isp
mailing list