suPHP - secure/reliable?

Sam Nilsson lists at servingpeace.com
Thu Nov 3 18:53:18 GMT 2005 

jonas wrote:
> I'd be really intrested to hear some few details about installation through 
> the ports. From what I saw in the FastCGI documentation you need to do some 
> strange configuration changes to your httpd.conf, so that .php files are 
> properly passed to the FastCGI handler and that they'll be executed under the 
> correct user. Could you share a quick overview what you did to get this up 
> and running, apart from makeing install?
> 
> Thanks!

Sure. Here is the basic method that I used to build apache2 with suexec, 
fastcgi, and php5. These instructions come from my notes, so there are 
probably some mistakes and typos. Setting this stuff up is a process:

-- Install Ports:

Edit /usr/local/etc/pkgtools.conf. Add the following to the MAKE_ARGS 
section:

'www/apache2*' => 'WITH_SUEXEC=yes SUEXEC_DOCROOT=/usr/local/www 
SUEXEC_USERDIR=public_html',
'www/mod_fastcgi*' => 'WITH_APACHE2=yes',
'www/php5-cgi*' => 'WITH_FASTCGI=yes',

$ portupgrade -pNi www/apache2
$ portupgrade -pNi www/mod_fastcgi
$ portupgrade -pNi www/php5-cgi

-- Setup Apache:

Add the following to the /usr/local/etc/apache2/httpd.conf - global section

FastCgiIpcDir /usr/local/fastcgi-ipc
FastCgiWrapper sbin/suexec

Edit any virtual hosts in httpd.conf following this example:

<VirtualHost *:80>
ServerName virtual-domain.tld
DocumentRoot /usr/local/www/virtual/virtual-domain.tld/public_html
...

SuexecUserGroup username groupname
# alternatively
# SuexecUserGroup #userid #groupid
AddHandler php-fastcgi .php
Alias /cgi-bin/ /usr/local/www/virtual/virtual-domain.tld/cgi-bin/
<Location /cgi-bin/php>
     SetHandler fastcgi-script
     Options ExecCGI
</Location>
Action php-fastcgi /cgi-bin/php
AddType application/x-httpd-php .php


Other Apache Config Issues

In order for php to work with this setup, each virtual host must have 
its own cgi-bin directory.

     * The cgi-bin directory must be owned by the customer's uid and gid 
(from /etc/passwd).
     * All cgi scripts must be owned by the customer's uid/gid.
     * The cgi-bin directory must contain the following script which 
must also be owned by the customer's uid/gid.

$ cat /usr/local/www/virtual/virtual-domain.tld/cgi-bin/php
#!/bin/sh

PHPRC="/usr/local/etc/php/php.ini" # or any custom php.ini file
export PHPRC
#PHP_FCGI_CHILDREN=4
#export PHP_FCGI_CHILDREN
exec /usr/local/bin/php

----

Now you can run a script like 
/usr/local/www/virtual/virtual-domain.tld/public_html/test.php and it 
will be run using suexec and fastcgi. It doesn't matter who owns the 
test.php script file, just the ownership of /cgi-bin and /cgi-bin/php.

If you want to run normal cgi scripts from public_html, then the script 
and its parent directory must be owned exactly as indicated by the 
SuexecUserGroup directive.

Let me know if you need any clarifications or if you have any more 
questions.

- Sam

More information about the freebsd-questions mailing list