From owner-freebsd-isp@FreeBSD.ORG Thu Jun 28 05:52:02 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 068AB16A421 for ; Thu, 28 Jun 2007 05:52:02 +0000 (UTC) (envelope-from bsd@kajs.co.nz) Received: from mx1.orcon.net.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by mx1.freebsd.org (Postfix) with ESMTP id A7F9A13C469 for ; Thu, 28 Jun 2007 05:52:01 +0000 (UTC) (envelope-from bsd@kajs.co.nz) Received: from Debian-exim by mx1.orcon.net.nz with local (Exim 4.63) (envelope-from ) id 1I3mSZ-0006D5-FF for freebsd-isp@freebsd.org; Thu, 28 Jun 2007 17:22:27 +1200 Received: from [60.234.135.124] (helo=jbox.spinningplanet.co.nz) by mx1.orcon.net.nz with esmtp (Exim 4.63) (envelope-from ) id 1I3gKS-0005Zk-UO; Thu, 28 Jun 2007 10:49:41 +1200 Message-ID: <4682E983.4050507@kajs.co.nz> Date: Thu, 28 Jun 2007 10:49:39 +1200 From: Josh User-Agent: Thunderbird 2.0.0.4 (X11/20070626) MIME-Version: 1.0 To: Paulo Fragoso , freebsd-isp@freebsd.org References: <4682D528.7060107@nlink.com.br> In-Reply-To: <4682D528.7060107@nlink.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DSPAM-Check: by mx1.orcon.net.nz on Thu, 28 Jun 2007 17:22:27 +1200 X-DSPAM-Result: Innocent X-DSPAM-Processed: Thu Jun 28 17:22:27 2007 X-DSPAM-Confidence: 0.8512 X-DSPAM-Improbability: 1 in 573 chance of being spam X-DSPAM-Probability: 0.0000 Cc: Subject: Re: PHP suexec (binfmt) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 05:52:02 -0000 I wrote a mini howto thing on this a while ago install apache 2.0, with suexec enabled. Put these lines into /etc/make.conf: SUEXEC_UIDMIN=500 - the lowest UID of your vhost users. Normally 1000. SUEXEC_GIDMIN=500 - the lowest GID of your vhost users. Normally 1000. SUEXEC_DOCROOT="/home/sites" - where the vhost directorys are. Note the UIDMIN and GIDMIN. These can probably be omitted. I only put them in there because I transferred some users from a linux system, on which the UID's and GID's start at 500. Now install apache: cd /usr/ports/www/apache20 make install echo "Hello" In freebsd; cd /usr/ports/lang/php5 make config In the config set these options: CLI - for php on command line. CGI - For cgi use of php SUHOSIN - Security enhancments for php MAILHEAD - A gizmo. REDIRECT DISCARD FASTCGI - Needed to use fastcgi or fcgid modules PATHINO Then run: make install Now install mod_fcgid: cd /usr/ports/www/mod_fcgid make install ( accept default options ) Now, in httpd.conf, make sure you have some lines like this in the module section: LoadModule suexec_module libexec/apache2/mod_suexec.so LoadModule fcgid_module libexec/apache2/mod_fcgid.so And then somewhere else in the httpd.conf, put this: AddHandler php-script .php Action php-script /cgi-bin/php # this is to handle php-cgi with mod_fcgid SetHandler fcgid-script # this is to handle php-cgi with mod_fastcgi #SetHandler fastcgi-script Ok, now, in each entry that you want to run php, you need to put this: ScriptAlias /cgi-bin/ /path/to/vhost/users/home/dir/cgi-bin/ And in that users cgi-bin, you put this into a file called php: #!/bin/sh #PHPRC="/usr/local/etc/php/client" # can use this to set custom php.ini export PHPRC PHP_FCGI_CHILDREN=4 export PHP_FCGI_CHILDREN exec /usr/local/bin/php-cgi And make the script executable, and owned by the virtual hosts user and group. You should use chflags to make it so that users cant mince around with anything in the cgi-dir, or alternatively modify suexec.c to take the check of the uid/gid of the cgi-bin dir and then you can make it owned by root:wheel. And, in theory, that should be it. Start up apache and it should work. After that you should consider making a php.ini for each and every vhost, in which you set open_basedir and other gizmos to tighten things up. This is only a quick 5 minute writeup, so it is more than likely I have missed something. Paulo Fragoso wrote: > Hi, > > Are there any solution like linux binfmt > (http://pookey.co.uk/wiki/php/security) for FreeBSD? > > We are migrating a multi-home PHP server running mod_php to new server > without mod_php. We won't like to change all .php files to put > #!/usr/local/bin/php > > Paulo Fragoso. > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"