aboutsummaryrefslogtreecommitdiff
path: root/network/suphp
diff options
context:
space:
mode:
Diffstat (limited to 'network/suphp')
-rw-r--r--network/suphp/README20
-rw-r--r--network/suphp/README.SLACKWARE42
-rw-r--r--network/suphp/config/mod_suphp.conf41
-rw-r--r--network/suphp/config/suphp.conf56
-rw-r--r--network/suphp/doinst.sh1
-rw-r--r--network/suphp/patches/suphp-0.7.1-nosuid.diff18
-rw-r--r--network/suphp/slack-desc6
-rw-r--r--network/suphp/suphp-0.6.3-vhosts.patch29
-rw-r--r--network/suphp/suphp.SlackBuild63
-rw-r--r--network/suphp/suphp.conf46
-rw-r--r--network/suphp/suphp.info6
11 files changed, 204 insertions, 124 deletions
diff --git a/network/suphp/README b/network/suphp/README
index 669b5b5bda88f..53352c385749d 100644
--- a/network/suphp/README
+++ b/network/suphp/README
@@ -1,22 +1,4 @@
suPHP is a tool for executing PHP scripts with the permissions of their
owners. It consists of an Apache module (mod_suphp) and a setuid root
binary (suphp) that is called by the Apache module to change the uid of
-the process executing the PHP interpreter.
-
-This version was compiled to look for its config-file in /etc/httpd
-rather then just /etc as 'httpd' looks there aswell.
-
-Some of the 'standard' /etc/httpd/httpd.conf directives include:
-
- LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so
- suPHP_Engine on
- AddHandler x-httpd-php .php
- suPHP_AddHandler x-httpd-php
- suPHP_UserGroup someuser users
-
-To use different php versions 'per vhost' see:
-http://www.howtoforge.com/apache2_suphp_php4_php5
-
-mod_php can be reduced (greatly) by rebuilding PHP for FastCGI and
-using mod_fcgid; however, that requires additional configuration.
-See http://fastcgi.coremail.cn/configuration.htm for details.
+the process executing the PHP interpreter. See also README.SLACKWARE
diff --git a/network/suphp/README.SLACKWARE b/network/suphp/README.SLACKWARE
new file mode 100644
index 0000000000000..b3aaa7451bc1f
--- /dev/null
+++ b/network/suphp/README.SLACKWARE
@@ -0,0 +1,42 @@
+suphp README.SLACKWARE
+
+This version was compiled to look for its config file in /etc/httpd
+rather then just /etc as 'httpd' looks there aswell.
+
+To enable this make sure to disable mod_php first, then (after editing
+as needed for your site) add to /etc/httpd/httpd.conf:
+
+ Include /etc/httpd/mod_suphp.conf
+
+Unlike suEXEC, suPHP tries to fix variables like $_SERVER['SCRIPT_NAME']
+
+Apache php_* directives in .htaccess files will only work if you install
+the 'htscanner' PHP extension (available from SBo also). However, not
+every setting will work that way; using a php.ini per vhost is another
+option available, configurable in /etc/http/mod_suphp.conf
+
+Upon each connection getpwnam() and similar user-db functions are run,
+which may hinder performance on systems with many accounts (or that use
+some kind of external db system) in which case running 'nscd' may help:
+http://groups.google.nl/group/alt.os.linux.slackware/msg/7032b8ec0e2b11b3
+
+To use different php versions 'per vhost' see:
+http://www.howtoforge.com/apache2_suphp_php4_php5
+
+==
+
+Note on capabilities: FCAPS=true
+
+Which, if set, will install the wrapper non-setuid. For this to work
+however filesystem support must be available (ext3 has this support).
+Your backup tool might ignore, or not know about, extended attribs...
+
+Besides the 'apache' user must be able to write to its logfile, e.g.
+drwxrwxr-x 2 root apache 4096 2009-04-05 00:29 /var/log/httpd
+-rw-rw-r-- 1 root apache 2212 2009-04-05 13:45 /var/log/httpd/suphp_log
+Which might have some consequence in logrotate configuration too.
+
+In case Apache is chrooted (for instance with mod_chroot available from
+SBo as well), breaking out should be much harder if installed this way, as
+ptrace, chroot, etc will be unavailable to get via suphp within the jail.
+
diff --git a/network/suphp/config/mod_suphp.conf b/network/suphp/config/mod_suphp.conf
new file mode 100644
index 0000000000000..60d6d157f283f
--- /dev/null
+++ b/network/suphp/config/mod_suphp.conf
@@ -0,0 +1,41 @@
+# ===========================
+# == suPHP Apache module ==
+# ===========================
+
+# Invite this baby in.
+LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so
+
+# Tell her what maybe on the menu here.
+AddHandler x-httpd-php .php .php3 .php4 .php5
+
+# This option tells mod_suphp if a PHP-script requested on this server (or
+# VirtualHost) should be run with the PHP-interpreter or returned to the
+# browser "as it is".
+suPHP_Engine on
+
+# This option tells mod_suphp which path to pass on to the PHP-interpreter
+# (by setting the PHPRC environment variable).
+# Do *NOT* refer to a file but to the directory the file resists in.
+# If you don't use this option, PHP will use its compiled in default path.
+#suPHP_ConfigPath (expects a path name)
+
+# Specify the user- and groupname to run PHP-scripts with. This setting
+# can only be used within a <Directory> or <Location> context.
+suPHP_UserGroup nfsnobody users
+
+# Tells mod_suphp to handle requests with the type <mime-type>.
+# Please note this only works, if an action for the handler is specified
+# in the suPHP configuration file. Settings on per-directory level supersede
+# settings made on per-server level.
+suPHP_AddHandler x-httpd-php
+
+# Tells mod_suphp NOT to handle requests with the type <mime-type>. This will
+# override the suPHP_AddHandler setting made on a higher configuration level.
+#suPHP_RemoveHandler <mime-type>
+
+# Sets the path to the PHP binary that is used to render files with the
+# "x-httpd-php" or "application/x-httpd-php" type. This setting does
+# *NOT* affect the PHP binary used for serving script requests, which is
+# still configured in suphp.conf.
+#suPHP_PHPPath (expects a path name)
+
diff --git a/network/suphp/config/suphp.conf b/network/suphp/config/suphp.conf
new file mode 100644
index 0000000000000..b973e9f97ed97
--- /dev/null
+++ b/network/suphp/config/suphp.conf
@@ -0,0 +1,56 @@
+[global]
+; Path to logfile
+; This is set to where Apache logs reside aswell
+logfile=/var/log/httpd/suphp_log
+
+; Loglevel
+loglevel=info
+
+; User Apache is running as
+webserver_user=apache
+
+; Path all scripts have to be in
+; This should reflect the vhosts DocumentRoot
+docroot=/var/www:${HOME}/public_html
+
+; Path to chroot() to before executing script
+;chroot=/mychroot
+
+; Security options
+; Note: RedHat-like systems expect 'group_writeable' privs
+allow_file_group_writeable=false
+allow_file_others_writeable=false
+allow_directory_group_writeable=false
+allow_directory_others_writeable=false
+
+; Check wheter script is within DOCUMENT_ROOT
+check_vhost_docroot=true
+
+; Send minor error messages to browser
+errors_to_browser=true
+
+; PATH environment variable
+env_path=/bin:/usr/bin
+
+; Umask to set, specify in octal notation
+; Provided all users are in the 'users' group 072,
+; makes sure they cannot mess about eachothers files.
+; Note: homedirs can have <username>:apache 0710 perms!
+umask=0072
+
+; Minimum UID
+; The default Slackware NIS config uses this UID boundry
+min_uid=500
+
+; Minimum GID
+; The 'users' group
+min_gid=100
+
+[handlers]
+; Handler for php-scripts
+x-httpd-php="php:/usr/bin/php-cgi"
+
+; Handler for CGI-scripts
+; Similar in functionality to suEXEC
+x-suphp-cgi="execute:!self"
+
diff --git a/network/suphp/doinst.sh b/network/suphp/doinst.sh
index e796ae0a4ead8..58cc2362b2d12 100644
--- a/network/suphp/doinst.sh
+++ b/network/suphp/doinst.sh
@@ -11,5 +11,6 @@ config() {
# Otherwise, we leave the .new copy for the admin to consider...
}
+config etc/httpd/mod_suphp.conf.new
config etc/httpd/suphp.conf.new
diff --git a/network/suphp/patches/suphp-0.7.1-nosuid.diff b/network/suphp/patches/suphp-0.7.1-nosuid.diff
new file mode 100644
index 0000000000000..7a9b35de4e57b
--- /dev/null
+++ b/network/suphp/patches/suphp-0.7.1-nosuid.diff
@@ -0,0 +1,18 @@
+diff -ur suphp-0.7.1.orig/src/Application.cpp suphp-0.7.1/src/Application.cpp
+--- suphp-0.7.1.orig/src/Application.cpp 2009-03-14 18:55:25.000000000 +0100
++++ suphp-0.7.1/src/Application.cpp 2009-04-05 13:03:10.000000000 +0200
+@@ -174,12 +174,13 @@
+ throw SecurityException("Calling user is not webserver user!",
+ __FILE__, __LINE__);
+ }
+-
++#if 0
+ if (!api.getEffectiveProcessUser().isSuperUser()) {
+ throw SecurityException(
+ "Do not have root privileges. Executable not set-uid root?",
+ __FILE__, __LINE__);
+ }
++#endif
+ }
+
+
diff --git a/network/suphp/slack-desc b/network/suphp/slack-desc
index fa46fd1fd66c9..cefe0b4882c2b 100644
--- a/network/suphp/slack-desc
+++ b/network/suphp/slack-desc
@@ -5,15 +5,15 @@
# make exactly 11 lines for the formatting to be correct. It's also
# customary to leave one space after the ':'.
- |-----handy-ruler------------------------------------------------------|
+ |-----handy-ruler-------------------------------------------------------|
suphp: suPHP (an Apache module)
suphp:
suphp: mod_suphp is a module for executing PHP scripts with the permission
suphp: of their owners rather then the user the webserver runs as.
suphp: It is similar to suEXEC for CGI/SSI but supports a configuration file.
-suphp:
+suphp:
suphp: It uses a setuid root wrapper binary (/usr/sbin/suphp) to change
suphp: the uid of the process executing the PHP interpreter.
-suphp:
+suphp:
suphp: suPHP is maintained by Sebastian Marsching
suphp:
diff --git a/network/suphp/suphp-0.6.3-vhosts.patch b/network/suphp/suphp-0.6.3-vhosts.patch
deleted file mode 100644
index ea6e13c996c1d..0000000000000
--- a/network/suphp/suphp-0.6.3-vhosts.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -ur src.std/apache/mod_suphp.c src/apache/mod_suphp.c
---- src.std/apache/mod_suphp.c 2006-09-23 19:04:36.000000000 +0200
-+++ src/apache/mod_suphp.c 2007-02-15 17:29:37.000000000 +0100
-@@ -249,9 +249,9 @@
- {"suPHP_UserGroup", suphp_handle_cmd_user_group, NULL,
- RSRC_CONF|ACCESS_CONF, TAKE2, "User and group scripts shall be run as"},
- #endif
-- {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF,
-+ {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF|ACCESS_CONF,
- ITERATE, "Tells mod_suphp to handle these MIME-types"},
-- {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF,
-+ {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF|ACCESS_CONF,
- ITERATE, "Tells mod_suphp not to handle these MIME-types"},
- {NULL}
- };
-diff -ur src.std/apache2/mod_suphp.c src/apache2/mod_suphp.c
---- src.std/apache2/mod_suphp.c 2006-11-06 01:57:12.000000000 +0100
-+++ src/apache2/mod_suphp.c 2007-02-15 17:30:35.000000000 +0100
-@@ -321,8 +321,8 @@
- AP_INIT_TAKE2("suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, RSRC_CONF | ACCESS_CONF,
- "User and group scripts shall be run as"),
- #endif
-- AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
-- AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
-+ AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
-+ AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
- {NULL}
- };
-
diff --git a/network/suphp/suphp.SlackBuild b/network/suphp/suphp.SlackBuild
index 42515eb19766b..e3e9eff0cca24 100644
--- a/network/suphp/suphp.SlackBuild
+++ b/network/suphp/suphp.SlackBuild
@@ -2,10 +2,14 @@
# Slackware build script for suPHP
-# Written by Menno E. Duursma <druiloor@zonnet.nl>
+# Written by Menno Duursma <druiloor@zonnet.nl>
+
+# This program is free software. It comes without any warranty.
+# Granted WTFPLv2, as published by Sam Hocevar dec'04.
+# For details see http://sam.zoy.org/wtfpl/COPYING
PRGNAM=suphp
-VERSION=0.6.3
+VERSION=${VERSION:-0.7.1}
ARCH=${ARCH:-i486}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
@@ -13,7 +17,10 @@ TAG=${TAG:-_SBo}
CWD=$(pwd)
TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
-OUTPUT=${OUTPUT:-/tmp} # Drop the package in /tmp
+OUTPUT=${OUTPUT:-/tmp}
+
+# On capability enabled filesystems this may be enabled
+FCAPS=${FCAPS:-false}
# The stock Apache on Slackware runs httpd under system
# user/group account 'apache'. If you happen to use some
@@ -40,11 +47,13 @@ cd $PRGNAM-$VERSION
chown -R root:root .
chmod -R u+w,go+r-w,a-s .
-# Apply a patch to have it globally honor the suPHP_Engine directive
-patch -p0 --verbose < $CWD/suphp-$VERSION-vhosts.patch
+# FCAPS: remove ruid-root check from source
+if [ "$FCAPS" != "false" ]; then
+ patch --verbose -p1 < $CWD/patches/suphp-0.7.1-nosuid.diff
+fi
# Default to secure settings, as any of the configuration options
-# can be overwritten in the config-file /etc/httpd/suphp.conf anyway
+# can be overwritten in the config file /etc/httpd/suphp.conf anyway
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
@@ -55,25 +64,28 @@ CXXFLAGS="$SLKCFLAGS" \
--with-apache-user=$HTTPD_USER \
--with-logfile=/var/log/httpd/suphp_log \
--enable-static=no \
- --build=$ARCH-slackware-linux \
- --host=$ARCH-slackware-linux
+ --build=$ARCH-slackware-linux
make
-make install DESTDIR=$PKG
-( cd $PKG
- find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
- find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
-)
+# Following only strips the wrapper
+make install-strip DESTDIR=$PKG
+
+# Strip the DSO as well
+find $PKG -type f | xargs file | grep "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip -v --strip-unneeded 2> /dev/null
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a AUTHORS COPYING ChangeLog doc/* $PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
-cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.SBo
+cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
mkdir -p $PKG/etc/httpd
+cat $CWD/config/mod_suphp.conf > $PKG/etc/httpd/mod_suphp.conf.new
+
+# Make sure the user Apache runs as in correctly reflected
sed s/'webserver_user=apache'/"webserver_user=$HTTPD_USER"/g \
- $CWD/suphp.conf >> $PKG/etc/httpd/suphp.conf.new
+ $CWD/config/suphp.conf > $PKG/etc/httpd/suphp.conf.new
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
@@ -81,15 +93,18 @@ cat $CWD/doinst.sh > $PKG/install/doinst.sh
# Make sure the access permissions on target host are such that
# only the group Apache runs as has access to it
-echo "chgrp $HTTPD_GROUP usr/sbin/suphp" >> $PKG/install/doinst.sh
-echo "chmod 4750 usr/sbin/suphp" >> $PKG/install/doinst.sh
+chown root:$HTTPD_GROUP $PKG/usr/sbin/suphp
+
+# Install setuid unless caller requested otherwise
+if [ "$FCAPS" != "false" ]; then
+ chmod 0750 $PKG/usr/sbin/suphp
+ # Note: on a chrooted Apache: this should fence the jail
+ echo 'setcap "cap_setgid=ep cap_setuid=ep" usr/sbin/suphp' \
+ >> $PKG/install/doinst.sh
+else
+ # Install setuid-root
+ chmod 4750 $PKG/usr/sbin/suphp
+fi
cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz
-
-# Clean up the extra stuff
-if [ "$1" = "--cleanup" ]; then
- rm -rf $TMP/$PRGNAM-$VERSION
- rm -rf $PKG
-fi
-
diff --git a/network/suphp/suphp.conf b/network/suphp/suphp.conf
deleted file mode 100644
index 9bd6bcbafe08f..0000000000000
--- a/network/suphp/suphp.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-[global]
-;Path to logfile
-logfile=/var/log/httpd/suphp_log
-
-;Loglevel
-loglevel=info
-
-;User Apache is running as
-webserver_user=apache
-
-;Path all scripts have to be in
-docroot=/var/www
-
-;Path to chroot() to before executing script
-;chroot=/mychroot
-
-; Security options
-allow_file_group_writeable=true
-allow_file_others_writeable=false
-allow_directory_group_writeable=true
-allow_directory_others_writeable=false
-
-;Check wheter script is within DOCUMENT_ROOT
-check_vhost_docroot=true
-
-;Send minor error messages to browser
-errors_to_browser=true
-
-;PATH environment variable
-env_path=/bin:/usr/bin:/usr/local/bin
-
-;Umask to set, specify in octal notation
-umask=0077
-
-; Minimum UID
-min_uid=500
-
-; Minimum GID
-min_gid=100
-
-[handlers]
-;Handler for php-scripts
-x-httpd-php=php:/usr/bin/php-cgi
-
-;Handler for CGI-scripts
-x-suphp-cgi=execute:!self
diff --git a/network/suphp/suphp.info b/network/suphp/suphp.info
index d34d8d10d0b34..f5ff3e4d3fd34 100644
--- a/network/suphp/suphp.info
+++ b/network/suphp/suphp.info
@@ -1,8 +1,8 @@
PRGNAM="suphp"
-VERSION="0.6.3"
+VERSION="0.7.1"
HOMEPAGE="http://www.suphp.org/"
-DOWNLOAD="http://www.suphp.org/download/suphp-0.6.3.tar.gz"
-MD5SUM="756e8893857fefed087a89959a87645a"
+DOWNLOAD="http://www.suphp.org/download/suphp-0.7.1.tar.gz"
+MD5SUM="c172dd4f15a75f4dcb08ea97d4202bb8"
MAINTAINER="Menno Duursma"
EMAIL="druiloor@zonnet.nl"
APPROVED="rworkman"