Re: PHP suexec (binfmt)
- From: Josh <bsd@xxxxxxxxxx>
- Date: Thu, 28 Jun 2007 10:49:39 +1200
I wrote a mini howto thing on this a while ago
install apache 2.0, with suexec enabled.
Put these lines into /etc/make.conf:
SUEXEC_UIDMIN=500 - the lowest UID of your vhost users. Normally 1000.
SUEXEC_GIDMIN=500 - the lowest GID of your vhost users. Normally 1000.
SUEXEC_DOCROOT="/home/sites" - where the vhost directorys are.
Note the UIDMIN and GIDMIN. These can probably be omitted. I only put them in there because I transferred some users from a linux system, on which the UID's and GID's start at 500.
Now install apache:
cd /usr/ports/www/apache20
make install
echo "Hello"
In freebsd;
cd /usr/ports/lang/php5
make config
In the config set these options:
CLI - for php on command line.
CGI - For cgi use of php
SUHOSIN - Security enhancments for php
MAILHEAD - A gizmo.
REDIRECT
DISCARD FASTCGI - Needed to use fastcgi or fcgid modules
PATHINO Then run:
make install
Now install mod_fcgid:
cd /usr/ports/www/mod_fcgid
make install
( accept default options )
Now, in httpd.conf, make sure you have some lines like this in the module section:
LoadModule suexec_module libexec/apache2/mod_suexec.so
LoadModule fcgid_module libexec/apache2/mod_fcgid.so
And then somewhere else in the httpd.conf, put this:
AddHandler php-script .php
Action php-script /cgi-bin/php
<Location /cgi-bin/>
# this is to handle php-cgi with mod_fcgid
SetHandler fcgid-script
# this is to handle php-cgi with mod_fastcgi
#SetHandler fastcgi-script
</Location>
Ok, now, in each <VirtualHost> entry that you want to run php, you need to put this:
ScriptAlias /cgi-bin/ /path/to/vhost/users/home/dir/cgi-bin/
And in that users cgi-bin, you put this into a file called php:
#!/bin/sh
#PHPRC="/usr/local/etc/php/client" # can use this to set custom php.ini
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
exec /usr/local/bin/php-cgi
And make the script executable, and owned by the virtual hosts user and group.
You should use chflags to make it so that users cant mince around with anything in the cgi-dir, or alternatively modify suexec.c to take the check of the uid/gid of the cgi-bin dir and then you can make it owned by root:wheel.
And, in theory, that should be it.
Start up apache and it should work.
After that you should consider making a php.ini for each and every vhost, in which you set open_basedir and other gizmos to tighten things up.
This is only a quick 5 minute writeup, so it is more than likely I have missed something.
Paulo Fragoso wrote:
Hi,
Are there any solution like linux binfmt (http://pookey.co.uk/wiki/php/security) for FreeBSD?
We are migrating a multi-home PHP server running mod_php to new server without mod_php. We won't like to change all .php files to put #!/usr/local/bin/php
Paulo Fragoso.
_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"
_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"
- References:
- PHP suexec (binfmt)
- From: Paulo Fragoso
- PHP suexec (binfmt)
- Prev by Date: PHP suexec (binfmt)
- Next by Date: problem found in sent message "Mail Delivery System (pila@pclab.pl)"
- Previous by thread: PHP suexec (binfmt)
- Next by thread: problem found in sent message "Mail Delivery System (pila@pclab.pl)"
- Index(es):
Relevant Pages
|
|
