From owner-freebsd-questions@FreeBSD.ORG Tue Apr 27 02:41:01 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DED8416A4CE for ; Tue, 27 Apr 2004 02:41:00 -0700 (PDT) Received: from dyer.circlesquared.com (host217-45-219-83.in-addr.btopenworld.com [217.45.219.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD2A743D1F for ; Tue, 27 Apr 2004 02:40:59 -0700 (PDT) (envelope-from peter@circlesquared.com) Received: from circlesquared.com (localhost.petanna.net [127.0.0.1]) i3R9hBck020877; Tue, 27 Apr 2004 10:43:12 +0100 (BST) (envelope-from peter@circlesquared.com) Message-ID: <408E2B2F.5050604@circlesquared.com> Date: Tue, 27 Apr 2004 10:43:11 +0100 From: Peter Risdon User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7b) Gecko/20040327 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mikkel Christensen References: <200404262126.36157.mikkel@talkactive.net> <200404262211.08437.mikkel@talkactive.net> <408E2017.1060307@circlesquared.com> <200404270916.42738.mikkel@talkactive.net> In-Reply-To: <200404270916.42738.mikkel@talkactive.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Suexec with Apache 1.3.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2004 09:41:01 -0000 Mikkel Christensen wrote: >On Tuesday 27 April 2004 08:55, Peter Risdon wrote: > > >>Mikkel Christensen wrote: >> >> >>>On Monday 26 April 2004 21:49, Marty Landman wrote: >>> >>> >>>>At 05:26 PM 4/26/2004, Mikkel Christensen wrote: >>>>Sounds like suexec didn't get compiled into Apache, at least the one you're >>>>running. >>>> >>>> >>>> >>>But in that case apache would complain the the User and Group keyword didn't exits. Just like it does with a non suexec installation. >>>A webserver without suexec refuses to start if it encounters User or Group in the configuration. >>> >>> >>> >>One thing occurs to me - you are obviously using php. php scripts under >>apache do not by default run as cgi under mod_php and so even with >>suexec compiled successfully into your apache, these will still run as >>the default apache user. >> >>To alter this behaviour, you need to compile php to provide the cgi >>version of the interpreter. >> >>I posted a mail here a couple of months ago discussing this, because >>there is then a problem if users, especially on a multi-homed system, >>are using the non-cgi version of php. It is possible to have both, and >>also the command line interpreter, but only with a little bit of >>fiddling about. >> >>http://lists.freebsd.org/pipermail/freebsd-questions/2004-February/037878.html >> >> >> > >Thanks for your input. >I'm not interested in running php as CGI at the moment though. >The princip of asking all users to add the #!/usr/local/bin/php is something I predict would give great problems in a production enviroment. > > Absolutely. That's why I needed a way to have both cgi and mod_ php. And it works fine with both. My thought was that running php scripts as cgi allows restrictive permissions to be set on those scripts that protect the owner of those scripts. So if users do not wish to take advantage of this, it's up to them and they can still use mod_php in the normal way. >Apparently this path makes php run under suexec though it doen't run as a usual cli cgi-script.: http://www.localhost.nl/patches/ > > I felt unsure of using this patch in a production environment. With something this central to hosting, I need a better idea of installed base and security ramifications than I was able to find for this patch. >This I might look into latter. For now if I can just get suexec to work it will be the foundation for any latter configuration. > > It did sound as though it might be working already, if I remember your earlier posts correctly. As discussed above, your php scripts will not run suexec even if suexec is working properly. No entries will appear in /var/log/httpd-suexec.log when you run one of the php scripts because it isn't running suexec. That's not a fault, it's how it is meant to work. Have you tried a perl cgi script just to test the principle? I might have missed this in an earlier post, but when apache starts do you get lines in your /var/log/httpd-error.log like this: [notice] suEXEC mechanism enabled (wrapper: /usr/local/sbin/suexec) If so, it's working. PWR.