PHP suexec (binfmt)

Josh bsd at kajs.co.nz
Thu Jun 28 05:52:02 UTC 2007 

I wrote a mini howto thing on this a while ago



install apache 2.0, with suexec enabled.

Put these lines into /etc/make.conf:
    SUEXEC_UIDMIN=500                - the lowest UID of your vhost 
users. Normally 1000.
    SUEXEC_GIDMIN=500                - the lowest GID of your vhost 
users. Normally 1000.
    SUEXEC_DOCROOT="/home/sites"    - where the vhost directorys are.

Note the UIDMIN and GIDMIN. These can probably be omitted. I only put 
them in there because I transferred some users from a linux system, on 
which the UID's and GID's start at 500.

Now install apache:
    cd /usr/ports/www/apache20
    make install
    echo "Hello"


In freebsd;
    cd /usr/ports/lang/php5
    make config

In the config set these options:
    CLI            - for php on command line.
    CGI            - For cgi use of php
    SUHOSIN        - Security enhancments for php
    MAILHEAD    - A gizmo.
    REDIRECT
    DISCARD       
    FASTCGI        - Needed to use fastcgi or fcgid modules
    PATHINO   
   
Then run:
    make install

Now install mod_fcgid:
    cd /usr/ports/www/mod_fcgid
    make install
    ( accept default options )


Now, in httpd.conf, make sure you have some lines like this in the 
module section:

    LoadModule suexec_module    libexec/apache2/mod_suexec.so
    LoadModule fcgid_module     libexec/apache2/mod_fcgid.so


And then somewhere else in the httpd.conf, put this:

AddHandler php-script .php
Action php-script /cgi-bin/php

<Location /cgi-bin/>

    # this is to handle php-cgi with mod_fcgid
    SetHandler  fcgid-script

    # this is to handle php-cgi with mod_fastcgi
    #SetHandler  fastcgi-script

</Location>


Ok, now, in each <VirtualHost> entry that you want to run php, you need 
to put this:
    ScriptAlias /cgi-bin/ /path/to/vhost/users/home/dir/cgi-bin/


And in that users cgi-bin, you put this into a file called php:

    #!/bin/sh
    #PHPRC="/usr/local/etc/php/client"    # can use this to set custom 
php.ini
    export PHPRC
    PHP_FCGI_CHILDREN=4
    export PHP_FCGI_CHILDREN
    exec /usr/local/bin/php-cgi

And make the script executable, and owned by the virtual hosts user and 
group.

You should use chflags to make it so that users cant mince around with 
anything in the cgi-dir, or alternatively modify suexec.c to take the 
check of the uid/gid of the cgi-bin dir and then you can make it owned 
by root:wheel.

And, in theory, that should be it.

Start up apache and it should work.

After that you should consider making a php.ini for each and every 
vhost, in which you set open_basedir and other gizmos to tighten things up.

This is only a quick 5 minute writeup, so it is more than likely I have 
missed something.


Paulo Fragoso wrote:
> Hi,
>
> Are there any solution like linux binfmt 
> (http://pookey.co.uk/wiki/php/security) for FreeBSD?
>
> We are migrating a multi-home PHP server running mod_php to new server 
> without mod_php. We won't like to change all .php files to put 
> #!/usr/local/bin/php
>
> Paulo Fragoso.
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-isp mailing list