mirror of
https://github.com/Ponce/slackbuilds
synced 2024-10-01 06:32:51 +02:00
network/suphp: Updated for version 0.7.1
This commit is contained in:
parent
633d26a36c
commit
f8d56146fd
11 changed files with 204 additions and 124 deletions
|
@ -1,22 +1,4 @@
|
|||
suPHP is a tool for executing PHP scripts with the permissions of their
|
||||
owners. It consists of an Apache module (mod_suphp) and a setuid root
|
||||
binary (suphp) that is called by the Apache module to change the uid of
|
||||
the process executing the PHP interpreter.
|
||||
|
||||
This version was compiled to look for its config-file in /etc/httpd
|
||||
rather then just /etc as 'httpd' looks there aswell.
|
||||
|
||||
Some of the 'standard' /etc/httpd/httpd.conf directives include:
|
||||
|
||||
LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so
|
||||
suPHP_Engine on
|
||||
AddHandler x-httpd-php .php
|
||||
suPHP_AddHandler x-httpd-php
|
||||
suPHP_UserGroup someuser users
|
||||
|
||||
To use different php versions 'per vhost' see:
|
||||
http://www.howtoforge.com/apache2_suphp_php4_php5
|
||||
|
||||
mod_php can be reduced (greatly) by rebuilding PHP for FastCGI and
|
||||
using mod_fcgid; however, that requires additional configuration.
|
||||
See http://fastcgi.coremail.cn/configuration.htm for details.
|
||||
the process executing the PHP interpreter. See also README.SLACKWARE
|
||||
|
|
42
network/suphp/README.SLACKWARE
Normal file
42
network/suphp/README.SLACKWARE
Normal file
|
@ -0,0 +1,42 @@
|
|||
suphp README.SLACKWARE
|
||||
|
||||
This version was compiled to look for its config file in /etc/httpd
|
||||
rather then just /etc as 'httpd' looks there aswell.
|
||||
|
||||
To enable this make sure to disable mod_php first, then (after editing
|
||||
as needed for your site) add to /etc/httpd/httpd.conf:
|
||||
|
||||
Include /etc/httpd/mod_suphp.conf
|
||||
|
||||
Unlike suEXEC, suPHP tries to fix variables like $_SERVER['SCRIPT_NAME']
|
||||
|
||||
Apache php_* directives in .htaccess files will only work if you install
|
||||
the 'htscanner' PHP extension (available from SBo also). However, not
|
||||
every setting will work that way; using a php.ini per vhost is another
|
||||
option available, configurable in /etc/http/mod_suphp.conf
|
||||
|
||||
Upon each connection getpwnam() and similar user-db functions are run,
|
||||
which may hinder performance on systems with many accounts (or that use
|
||||
some kind of external db system) in which case running 'nscd' may help:
|
||||
http://groups.google.nl/group/alt.os.linux.slackware/msg/7032b8ec0e2b11b3
|
||||
|
||||
To use different php versions 'per vhost' see:
|
||||
http://www.howtoforge.com/apache2_suphp_php4_php5
|
||||
|
||||
==
|
||||
|
||||
Note on capabilities: FCAPS=true
|
||||
|
||||
Which, if set, will install the wrapper non-setuid. For this to work
|
||||
however filesystem support must be available (ext3 has this support).
|
||||
Your backup tool might ignore, or not know about, extended attribs...
|
||||
|
||||
Besides the 'apache' user must be able to write to its logfile, e.g.
|
||||
drwxrwxr-x 2 root apache 4096 2009-04-05 00:29 /var/log/httpd
|
||||
-rw-rw-r-- 1 root apache 2212 2009-04-05 13:45 /var/log/httpd/suphp_log
|
||||
Which might have some consequence in logrotate configuration too.
|
||||
|
||||
In case Apache is chrooted (for instance with mod_chroot available from
|
||||
SBo as well), breaking out should be much harder if installed this way, as
|
||||
ptrace, chroot, etc will be unavailable to get via suphp within the jail.
|
||||
|
41
network/suphp/config/mod_suphp.conf
Normal file
41
network/suphp/config/mod_suphp.conf
Normal file
|
@ -0,0 +1,41 @@
|
|||
# ===========================
|
||||
# == suPHP Apache module ==
|
||||
# ===========================
|
||||
|
||||
# Invite this baby in.
|
||||
LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so
|
||||
|
||||
# Tell her what maybe on the menu here.
|
||||
AddHandler x-httpd-php .php .php3 .php4 .php5
|
||||
|
||||
# This option tells mod_suphp if a PHP-script requested on this server (or
|
||||
# VirtualHost) should be run with the PHP-interpreter or returned to the
|
||||
# browser "as it is".
|
||||
suPHP_Engine on
|
||||
|
||||
# This option tells mod_suphp which path to pass on to the PHP-interpreter
|
||||
# (by setting the PHPRC environment variable).
|
||||
# Do *NOT* refer to a file but to the directory the file resists in.
|
||||
# If you don't use this option, PHP will use its compiled in default path.
|
||||
#suPHP_ConfigPath (expects a path name)
|
||||
|
||||
# Specify the user- and groupname to run PHP-scripts with. This setting
|
||||
# can only be used within a <Directory> or <Location> context.
|
||||
suPHP_UserGroup nfsnobody users
|
||||
|
||||
# Tells mod_suphp to handle requests with the type <mime-type>.
|
||||
# Please note this only works, if an action for the handler is specified
|
||||
# in the suPHP configuration file. Settings on per-directory level supersede
|
||||
# settings made on per-server level.
|
||||
suPHP_AddHandler x-httpd-php
|
||||
|
||||
# Tells mod_suphp NOT to handle requests with the type <mime-type>. This will
|
||||
# override the suPHP_AddHandler setting made on a higher configuration level.
|
||||
#suPHP_RemoveHandler <mime-type>
|
||||
|
||||
# Sets the path to the PHP binary that is used to render files with the
|
||||
# "x-httpd-php" or "application/x-httpd-php" type. This setting does
|
||||
# *NOT* affect the PHP binary used for serving script requests, which is
|
||||
# still configured in suphp.conf.
|
||||
#suPHP_PHPPath (expects a path name)
|
||||
|
56
network/suphp/config/suphp.conf
Normal file
56
network/suphp/config/suphp.conf
Normal file
|
@ -0,0 +1,56 @@
|
|||
[global]
|
||||
; Path to logfile
|
||||
; This is set to where Apache logs reside aswell
|
||||
logfile=/var/log/httpd/suphp_log
|
||||
|
||||
; Loglevel
|
||||
loglevel=info
|
||||
|
||||
; User Apache is running as
|
||||
webserver_user=apache
|
||||
|
||||
; Path all scripts have to be in
|
||||
; This should reflect the vhosts DocumentRoot
|
||||
docroot=/var/www:${HOME}/public_html
|
||||
|
||||
; Path to chroot() to before executing script
|
||||
;chroot=/mychroot
|
||||
|
||||
; Security options
|
||||
; Note: RedHat-like systems expect 'group_writeable' privs
|
||||
allow_file_group_writeable=false
|
||||
allow_file_others_writeable=false
|
||||
allow_directory_group_writeable=false
|
||||
allow_directory_others_writeable=false
|
||||
|
||||
; Check wheter script is within DOCUMENT_ROOT
|
||||
check_vhost_docroot=true
|
||||
|
||||
; Send minor error messages to browser
|
||||
errors_to_browser=true
|
||||
|
||||
; PATH environment variable
|
||||
env_path=/bin:/usr/bin
|
||||
|
||||
; Umask to set, specify in octal notation
|
||||
; Provided all users are in the 'users' group 072,
|
||||
; makes sure they cannot mess about eachothers files.
|
||||
; Note: homedirs can have <username>:apache 0710 perms!
|
||||
umask=0072
|
||||
|
||||
; Minimum UID
|
||||
; The default Slackware NIS config uses this UID boundry
|
||||
min_uid=500
|
||||
|
||||
; Minimum GID
|
||||
; The 'users' group
|
||||
min_gid=100
|
||||
|
||||
[handlers]
|
||||
; Handler for php-scripts
|
||||
x-httpd-php="php:/usr/bin/php-cgi"
|
||||
|
||||
; Handler for CGI-scripts
|
||||
; Similar in functionality to suEXEC
|
||||
x-suphp-cgi="execute:!self"
|
||||
|
|
@ -11,5 +11,6 @@ config() {
|
|||
# Otherwise, we leave the .new copy for the admin to consider...
|
||||
}
|
||||
|
||||
config etc/httpd/mod_suphp.conf.new
|
||||
config etc/httpd/suphp.conf.new
|
||||
|
||||
|
|
18
network/suphp/patches/suphp-0.7.1-nosuid.diff
Normal file
18
network/suphp/patches/suphp-0.7.1-nosuid.diff
Normal file
|
@ -0,0 +1,18 @@
|
|||
diff -ur suphp-0.7.1.orig/src/Application.cpp suphp-0.7.1/src/Application.cpp
|
||||
--- suphp-0.7.1.orig/src/Application.cpp 2009-03-14 18:55:25.000000000 +0100
|
||||
+++ suphp-0.7.1/src/Application.cpp 2009-04-05 13:03:10.000000000 +0200
|
||||
@@ -174,12 +174,13 @@
|
||||
throw SecurityException("Calling user is not webserver user!",
|
||||
__FILE__, __LINE__);
|
||||
}
|
||||
-
|
||||
+#if 0
|
||||
if (!api.getEffectiveProcessUser().isSuperUser()) {
|
||||
throw SecurityException(
|
||||
"Do not have root privileges. Executable not set-uid root?",
|
||||
__FILE__, __LINE__);
|
||||
}
|
||||
+#endif
|
||||
}
|
||||
|
||||
|
|
@ -5,15 +5,15 @@
|
|||
# make exactly 11 lines for the formatting to be correct. It's also
|
||||
# customary to leave one space after the ':'.
|
||||
|
||||
|-----handy-ruler------------------------------------------------------|
|
||||
|-----handy-ruler-------------------------------------------------------|
|
||||
suphp: suPHP (an Apache module)
|
||||
suphp:
|
||||
suphp: mod_suphp is a module for executing PHP scripts with the permission
|
||||
suphp: of their owners rather then the user the webserver runs as.
|
||||
suphp: It is similar to suEXEC for CGI/SSI but supports a configuration file.
|
||||
suphp:
|
||||
suphp:
|
||||
suphp: It uses a setuid root wrapper binary (/usr/sbin/suphp) to change
|
||||
suphp: the uid of the process executing the PHP interpreter.
|
||||
suphp:
|
||||
suphp:
|
||||
suphp: suPHP is maintained by Sebastian Marsching
|
||||
suphp:
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
diff -ur src.std/apache/mod_suphp.c src/apache/mod_suphp.c
|
||||
--- src.std/apache/mod_suphp.c 2006-09-23 19:04:36.000000000 +0200
|
||||
+++ src/apache/mod_suphp.c 2007-02-15 17:29:37.000000000 +0100
|
||||
@@ -249,9 +249,9 @@
|
||||
{"suPHP_UserGroup", suphp_handle_cmd_user_group, NULL,
|
||||
RSRC_CONF|ACCESS_CONF, TAKE2, "User and group scripts shall be run as"},
|
||||
#endif
|
||||
- {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF,
|
||||
+ {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF|ACCESS_CONF,
|
||||
ITERATE, "Tells mod_suphp to handle these MIME-types"},
|
||||
- {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF,
|
||||
+ {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF|ACCESS_CONF,
|
||||
ITERATE, "Tells mod_suphp not to handle these MIME-types"},
|
||||
{NULL}
|
||||
};
|
||||
diff -ur src.std/apache2/mod_suphp.c src/apache2/mod_suphp.c
|
||||
--- src.std/apache2/mod_suphp.c 2006-11-06 01:57:12.000000000 +0100
|
||||
+++ src/apache2/mod_suphp.c 2007-02-15 17:30:35.000000000 +0100
|
||||
@@ -321,8 +321,8 @@
|
||||
AP_INIT_TAKE2("suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, RSRC_CONF | ACCESS_CONF,
|
||||
"User and group scripts shall be run as"),
|
||||
#endif
|
||||
- AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
|
||||
- AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
|
||||
+ AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
|
||||
+ AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
|
||||
{NULL}
|
||||
};
|
||||
|
|
@ -2,10 +2,14 @@
|
|||
|
||||
# Slackware build script for suPHP
|
||||
|
||||
# Written by Menno E. Duursma <druiloor@zonnet.nl>
|
||||
# Written by Menno Duursma <druiloor@zonnet.nl>
|
||||
|
||||
# This program is free software. It comes without any warranty.
|
||||
# Granted WTFPLv2, as published by Sam Hocevar dec'04.
|
||||
# For details see http://sam.zoy.org/wtfpl/COPYING
|
||||
|
||||
PRGNAM=suphp
|
||||
VERSION=0.6.3
|
||||
VERSION=${VERSION:-0.7.1}
|
||||
ARCH=${ARCH:-i486}
|
||||
BUILD=${BUILD:-1}
|
||||
TAG=${TAG:-_SBo}
|
||||
|
@ -13,7 +17,10 @@ TAG=${TAG:-_SBo}
|
|||
CWD=$(pwd)
|
||||
TMP=${TMP:-/tmp/SBo}
|
||||
PKG=$TMP/package-$PRGNAM
|
||||
OUTPUT=${OUTPUT:-/tmp} # Drop the package in /tmp
|
||||
OUTPUT=${OUTPUT:-/tmp}
|
||||
|
||||
# On capability enabled filesystems this may be enabled
|
||||
FCAPS=${FCAPS:-false}
|
||||
|
||||
# The stock Apache on Slackware runs httpd under system
|
||||
# user/group account 'apache'. If you happen to use some
|
||||
|
@ -40,11 +47,13 @@ cd $PRGNAM-$VERSION
|
|||
chown -R root:root .
|
||||
chmod -R u+w,go+r-w,a-s .
|
||||
|
||||
# Apply a patch to have it globally honor the suPHP_Engine directive
|
||||
patch -p0 --verbose < $CWD/suphp-$VERSION-vhosts.patch
|
||||
# FCAPS: remove ruid-root check from source
|
||||
if [ "$FCAPS" != "false" ]; then
|
||||
patch --verbose -p1 < $CWD/patches/suphp-0.7.1-nosuid.diff
|
||||
fi
|
||||
|
||||
# Default to secure settings, as any of the configuration options
|
||||
# can be overwritten in the config-file /etc/httpd/suphp.conf anyway
|
||||
# can be overwritten in the config file /etc/httpd/suphp.conf anyway
|
||||
CFLAGS="$SLKCFLAGS" \
|
||||
CXXFLAGS="$SLKCFLAGS" \
|
||||
./configure \
|
||||
|
@ -55,25 +64,28 @@ CXXFLAGS="$SLKCFLAGS" \
|
|||
--with-apache-user=$HTTPD_USER \
|
||||
--with-logfile=/var/log/httpd/suphp_log \
|
||||
--enable-static=no \
|
||||
--build=$ARCH-slackware-linux \
|
||||
--host=$ARCH-slackware-linux
|
||||
--build=$ARCH-slackware-linux
|
||||
|
||||
make
|
||||
make install DESTDIR=$PKG
|
||||
|
||||
( cd $PKG
|
||||
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
|
||||
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
|
||||
)
|
||||
# Following only strips the wrapper
|
||||
make install-strip DESTDIR=$PKG
|
||||
|
||||
# Strip the DSO as well
|
||||
find $PKG -type f | xargs file | grep "shared object" | grep ELF \
|
||||
| cut -f 1 -d : | xargs strip -v --strip-unneeded 2> /dev/null
|
||||
|
||||
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cp -a AUTHORS COPYING ChangeLog doc/* $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
|
||||
cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.SBo
|
||||
cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
|
||||
|
||||
mkdir -p $PKG/etc/httpd
|
||||
cat $CWD/config/mod_suphp.conf > $PKG/etc/httpd/mod_suphp.conf.new
|
||||
|
||||
# Make sure the user Apache runs as in correctly reflected
|
||||
sed s/'webserver_user=apache'/"webserver_user=$HTTPD_USER"/g \
|
||||
$CWD/suphp.conf >> $PKG/etc/httpd/suphp.conf.new
|
||||
$CWD/config/suphp.conf > $PKG/etc/httpd/suphp.conf.new
|
||||
|
||||
mkdir -p $PKG/install
|
||||
cat $CWD/slack-desc > $PKG/install/slack-desc
|
||||
|
@ -81,15 +93,18 @@ cat $CWD/doinst.sh > $PKG/install/doinst.sh
|
|||
|
||||
# Make sure the access permissions on target host are such that
|
||||
# only the group Apache runs as has access to it
|
||||
echo "chgrp $HTTPD_GROUP usr/sbin/suphp" >> $PKG/install/doinst.sh
|
||||
echo "chmod 4750 usr/sbin/suphp" >> $PKG/install/doinst.sh
|
||||
chown root:$HTTPD_GROUP $PKG/usr/sbin/suphp
|
||||
|
||||
# Install setuid unless caller requested otherwise
|
||||
if [ "$FCAPS" != "false" ]; then
|
||||
chmod 0750 $PKG/usr/sbin/suphp
|
||||
# Note: on a chrooted Apache: this should fence the jail
|
||||
echo 'setcap "cap_setgid=ep cap_setuid=ep" usr/sbin/suphp' \
|
||||
>> $PKG/install/doinst.sh
|
||||
else
|
||||
# Install setuid-root
|
||||
chmod 4750 $PKG/usr/sbin/suphp
|
||||
fi
|
||||
|
||||
cd $PKG
|
||||
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz
|
||||
|
||||
# Clean up the extra stuff
|
||||
if [ "$1" = "--cleanup" ]; then
|
||||
rm -rf $TMP/$PRGNAM-$VERSION
|
||||
rm -rf $PKG
|
||||
fi
|
||||
|
||||
|
|
|
@ -1,46 +0,0 @@
|
|||
[global]
|
||||
;Path to logfile
|
||||
logfile=/var/log/httpd/suphp_log
|
||||
|
||||
;Loglevel
|
||||
loglevel=info
|
||||
|
||||
;User Apache is running as
|
||||
webserver_user=apache
|
||||
|
||||
;Path all scripts have to be in
|
||||
docroot=/var/www
|
||||
|
||||
;Path to chroot() to before executing script
|
||||
;chroot=/mychroot
|
||||
|
||||
; Security options
|
||||
allow_file_group_writeable=true
|
||||
allow_file_others_writeable=false
|
||||
allow_directory_group_writeable=true
|
||||
allow_directory_others_writeable=false
|
||||
|
||||
;Check wheter script is within DOCUMENT_ROOT
|
||||
check_vhost_docroot=true
|
||||
|
||||
;Send minor error messages to browser
|
||||
errors_to_browser=true
|
||||
|
||||
;PATH environment variable
|
||||
env_path=/bin:/usr/bin:/usr/local/bin
|
||||
|
||||
;Umask to set, specify in octal notation
|
||||
umask=0077
|
||||
|
||||
; Minimum UID
|
||||
min_uid=500
|
||||
|
||||
; Minimum GID
|
||||
min_gid=100
|
||||
|
||||
[handlers]
|
||||
;Handler for php-scripts
|
||||
x-httpd-php=php:/usr/bin/php-cgi
|
||||
|
||||
;Handler for CGI-scripts
|
||||
x-suphp-cgi=execute:!self
|
|
@ -1,8 +1,8 @@
|
|||
PRGNAM="suphp"
|
||||
VERSION="0.6.3"
|
||||
VERSION="0.7.1"
|
||||
HOMEPAGE="http://www.suphp.org/"
|
||||
DOWNLOAD="http://www.suphp.org/download/suphp-0.6.3.tar.gz"
|
||||
MD5SUM="756e8893857fefed087a89959a87645a"
|
||||
DOWNLOAD="http://www.suphp.org/download/suphp-0.7.1.tar.gz"
|
||||
MD5SUM="c172dd4f15a75f4dcb08ea97d4202bb8"
|
||||
MAINTAINER="Menno Duursma"
|
||||
EMAIL="druiloor@zonnet.nl"
|
||||
APPROVED="rworkman"
|
||||
|
|
Loading…
Reference in a new issue