From f8d56146fdf8f4ea9e0b4eb34db68eb2dfc1a375 Mon Sep 17 00:00:00 2001 From: Menno Duursma Date: Wed, 12 May 2010 17:44:15 +0200 Subject: [PATCH] network/suphp: Updated for version 0.7.1 --- network/suphp/README | 20 +----- network/suphp/README.SLACKWARE | 42 +++++++++++++ network/suphp/config/mod_suphp.conf | 41 ++++++++++++ network/suphp/config/suphp.conf | 56 +++++++++++++++++ network/suphp/doinst.sh | 1 + network/suphp/patches/suphp-0.7.1-nosuid.diff | 18 ++++++ network/suphp/slack-desc | 6 +- network/suphp/suphp-0.6.3-vhosts.patch | 29 --------- network/suphp/suphp.SlackBuild | 63 ++++++++++++------- network/suphp/suphp.conf | 46 -------------- network/suphp/suphp.info | 6 +- 11 files changed, 204 insertions(+), 124 deletions(-) create mode 100644 network/suphp/README.SLACKWARE create mode 100644 network/suphp/config/mod_suphp.conf create mode 100644 network/suphp/config/suphp.conf create mode 100644 network/suphp/patches/suphp-0.7.1-nosuid.diff delete mode 100644 network/suphp/suphp-0.6.3-vhosts.patch delete mode 100644 network/suphp/suphp.conf diff --git a/network/suphp/README b/network/suphp/README index 669b5b5bda..53352c3857 100644 --- a/network/suphp/README +++ b/network/suphp/README @@ -1,22 +1,4 @@ suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of -the process executing the PHP interpreter. - -This version was compiled to look for its config-file in /etc/httpd -rather then just /etc as 'httpd' looks there aswell. - -Some of the 'standard' /etc/httpd/httpd.conf directives include: - - LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so - suPHP_Engine on - AddHandler x-httpd-php .php - suPHP_AddHandler x-httpd-php - suPHP_UserGroup someuser users - -To use different php versions 'per vhost' see: -http://www.howtoforge.com/apache2_suphp_php4_php5 - -mod_php can be reduced (greatly) by rebuilding PHP for FastCGI and -using mod_fcgid; however, that requires additional configuration. -See http://fastcgi.coremail.cn/configuration.htm for details. +the process executing the PHP interpreter. See also README.SLACKWARE diff --git a/network/suphp/README.SLACKWARE b/network/suphp/README.SLACKWARE new file mode 100644 index 0000000000..b3aaa7451b --- /dev/null +++ b/network/suphp/README.SLACKWARE @@ -0,0 +1,42 @@ +suphp README.SLACKWARE + +This version was compiled to look for its config file in /etc/httpd +rather then just /etc as 'httpd' looks there aswell. + +To enable this make sure to disable mod_php first, then (after editing +as needed for your site) add to /etc/httpd/httpd.conf: + + Include /etc/httpd/mod_suphp.conf + +Unlike suEXEC, suPHP tries to fix variables like $_SERVER['SCRIPT_NAME'] + +Apache php_* directives in .htaccess files will only work if you install +the 'htscanner' PHP extension (available from SBo also). However, not +every setting will work that way; using a php.ini per vhost is another +option available, configurable in /etc/http/mod_suphp.conf + +Upon each connection getpwnam() and similar user-db functions are run, +which may hinder performance on systems with many accounts (or that use +some kind of external db system) in which case running 'nscd' may help: +http://groups.google.nl/group/alt.os.linux.slackware/msg/7032b8ec0e2b11b3 + +To use different php versions 'per vhost' see: +http://www.howtoforge.com/apache2_suphp_php4_php5 + +== + +Note on capabilities: FCAPS=true + +Which, if set, will install the wrapper non-setuid. For this to work +however filesystem support must be available (ext3 has this support). +Your backup tool might ignore, or not know about, extended attribs... + +Besides the 'apache' user must be able to write to its logfile, e.g. +drwxrwxr-x 2 root apache 4096 2009-04-05 00:29 /var/log/httpd +-rw-rw-r-- 1 root apache 2212 2009-04-05 13:45 /var/log/httpd/suphp_log +Which might have some consequence in logrotate configuration too. + +In case Apache is chrooted (for instance with mod_chroot available from +SBo as well), breaking out should be much harder if installed this way, as +ptrace, chroot, etc will be unavailable to get via suphp within the jail. + diff --git a/network/suphp/config/mod_suphp.conf b/network/suphp/config/mod_suphp.conf new file mode 100644 index 0000000000..60d6d157f2 --- /dev/null +++ b/network/suphp/config/mod_suphp.conf @@ -0,0 +1,41 @@ +# =========================== +# == suPHP Apache module == +# =========================== + +# Invite this baby in. +LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so + +# Tell her what maybe on the menu here. +AddHandler x-httpd-php .php .php3 .php4 .php5 + +# This option tells mod_suphp if a PHP-script requested on this server (or +# VirtualHost) should be run with the PHP-interpreter or returned to the +# browser "as it is". +suPHP_Engine on + +# This option tells mod_suphp which path to pass on to the PHP-interpreter +# (by setting the PHPRC environment variable). +# Do *NOT* refer to a file but to the directory the file resists in. +# If you don't use this option, PHP will use its compiled in default path. +#suPHP_ConfigPath (expects a path name) + +# Specify the user- and groupname to run PHP-scripts with. This setting +# can only be used within a or context. +suPHP_UserGroup nfsnobody users + +# Tells mod_suphp to handle requests with the type . +# Please note this only works, if an action for the handler is specified +# in the suPHP configuration file. Settings on per-directory level supersede +# settings made on per-server level. +suPHP_AddHandler x-httpd-php + +# Tells mod_suphp NOT to handle requests with the type . This will +# override the suPHP_AddHandler setting made on a higher configuration level. +#suPHP_RemoveHandler + +# Sets the path to the PHP binary that is used to render files with the +# "x-httpd-php" or "application/x-httpd-php" type. This setting does +# *NOT* affect the PHP binary used for serving script requests, which is +# still configured in suphp.conf. +#suPHP_PHPPath (expects a path name) + diff --git a/network/suphp/config/suphp.conf b/network/suphp/config/suphp.conf new file mode 100644 index 0000000000..b973e9f97e --- /dev/null +++ b/network/suphp/config/suphp.conf @@ -0,0 +1,56 @@ +[global] +; Path to logfile +; This is set to where Apache logs reside aswell +logfile=/var/log/httpd/suphp_log + +; Loglevel +loglevel=info + +; User Apache is running as +webserver_user=apache + +; Path all scripts have to be in +; This should reflect the vhosts DocumentRoot +docroot=/var/www:${HOME}/public_html + +; Path to chroot() to before executing script +;chroot=/mychroot + +; Security options +; Note: RedHat-like systems expect 'group_writeable' privs +allow_file_group_writeable=false +allow_file_others_writeable=false +allow_directory_group_writeable=false +allow_directory_others_writeable=false + +; Check wheter script is within DOCUMENT_ROOT +check_vhost_docroot=true + +; Send minor error messages to browser +errors_to_browser=true + +; PATH environment variable +env_path=/bin:/usr/bin + +; Umask to set, specify in octal notation +; Provided all users are in the 'users' group 072, +; makes sure they cannot mess about eachothers files. +; Note: homedirs can have :apache 0710 perms! +umask=0072 + +; Minimum UID +; The default Slackware NIS config uses this UID boundry +min_uid=500 + +; Minimum GID +; The 'users' group +min_gid=100 + +[handlers] +; Handler for php-scripts +x-httpd-php="php:/usr/bin/php-cgi" + +; Handler for CGI-scripts +; Similar in functionality to suEXEC +x-suphp-cgi="execute:!self" + diff --git a/network/suphp/doinst.sh b/network/suphp/doinst.sh index e796ae0a4e..58cc2362b2 100644 --- a/network/suphp/doinst.sh +++ b/network/suphp/doinst.sh @@ -11,5 +11,6 @@ config() { # Otherwise, we leave the .new copy for the admin to consider... } +config etc/httpd/mod_suphp.conf.new config etc/httpd/suphp.conf.new diff --git a/network/suphp/patches/suphp-0.7.1-nosuid.diff b/network/suphp/patches/suphp-0.7.1-nosuid.diff new file mode 100644 index 0000000000..7a9b35de4e --- /dev/null +++ b/network/suphp/patches/suphp-0.7.1-nosuid.diff @@ -0,0 +1,18 @@ +diff -ur suphp-0.7.1.orig/src/Application.cpp suphp-0.7.1/src/Application.cpp +--- suphp-0.7.1.orig/src/Application.cpp 2009-03-14 18:55:25.000000000 +0100 ++++ suphp-0.7.1/src/Application.cpp 2009-04-05 13:03:10.000000000 +0200 +@@ -174,12 +174,13 @@ + throw SecurityException("Calling user is not webserver user!", + __FILE__, __LINE__); + } +- ++#if 0 + if (!api.getEffectiveProcessUser().isSuperUser()) { + throw SecurityException( + "Do not have root privileges. Executable not set-uid root?", + __FILE__, __LINE__); + } ++#endif + } + + diff --git a/network/suphp/slack-desc b/network/suphp/slack-desc index fa46fd1fd6..cefe0b4882 100644 --- a/network/suphp/slack-desc +++ b/network/suphp/slack-desc @@ -5,15 +5,15 @@ # make exactly 11 lines for the formatting to be correct. It's also # customary to leave one space after the ':'. - |-----handy-ruler------------------------------------------------------| + |-----handy-ruler-------------------------------------------------------| suphp: suPHP (an Apache module) suphp: suphp: mod_suphp is a module for executing PHP scripts with the permission suphp: of their owners rather then the user the webserver runs as. suphp: It is similar to suEXEC for CGI/SSI but supports a configuration file. -suphp: +suphp: suphp: It uses a setuid root wrapper binary (/usr/sbin/suphp) to change suphp: the uid of the process executing the PHP interpreter. -suphp: +suphp: suphp: suPHP is maintained by Sebastian Marsching suphp: diff --git a/network/suphp/suphp-0.6.3-vhosts.patch b/network/suphp/suphp-0.6.3-vhosts.patch deleted file mode 100644 index ea6e13c996..0000000000 --- a/network/suphp/suphp-0.6.3-vhosts.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -ur src.std/apache/mod_suphp.c src/apache/mod_suphp.c ---- src.std/apache/mod_suphp.c 2006-09-23 19:04:36.000000000 +0200 -+++ src/apache/mod_suphp.c 2007-02-15 17:29:37.000000000 +0100 -@@ -249,9 +249,9 @@ - {"suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, - RSRC_CONF|ACCESS_CONF, TAKE2, "User and group scripts shall be run as"}, - #endif -- {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, -+ {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF|ACCESS_CONF, - ITERATE, "Tells mod_suphp to handle these MIME-types"}, -- {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, -+ {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF|ACCESS_CONF, - ITERATE, "Tells mod_suphp not to handle these MIME-types"}, - {NULL} - }; -diff -ur src.std/apache2/mod_suphp.c src/apache2/mod_suphp.c ---- src.std/apache2/mod_suphp.c 2006-11-06 01:57:12.000000000 +0100 -+++ src/apache2/mod_suphp.c 2007-02-15 17:30:35.000000000 +0100 -@@ -321,8 +321,8 @@ - AP_INIT_TAKE2("suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, RSRC_CONF | ACCESS_CONF, - "User and group scripts shall be run as"), - #endif -- AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"), -- AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"), -+ AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"), -+ AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"), - {NULL} - }; - diff --git a/network/suphp/suphp.SlackBuild b/network/suphp/suphp.SlackBuild index 42515eb197..e3e9eff0cc 100644 --- a/network/suphp/suphp.SlackBuild +++ b/network/suphp/suphp.SlackBuild @@ -2,10 +2,14 @@ # Slackware build script for suPHP -# Written by Menno E. Duursma +# Written by Menno Duursma + +# This program is free software. It comes without any warranty. +# Granted WTFPLv2, as published by Sam Hocevar dec'04. +# For details see http://sam.zoy.org/wtfpl/COPYING PRGNAM=suphp -VERSION=0.6.3 +VERSION=${VERSION:-0.7.1} ARCH=${ARCH:-i486} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -13,7 +17,10 @@ TAG=${TAG:-_SBo} CWD=$(pwd) TMP=${TMP:-/tmp/SBo} PKG=$TMP/package-$PRGNAM -OUTPUT=${OUTPUT:-/tmp} # Drop the package in /tmp +OUTPUT=${OUTPUT:-/tmp} + +# On capability enabled filesystems this may be enabled +FCAPS=${FCAPS:-false} # The stock Apache on Slackware runs httpd under system # user/group account 'apache'. If you happen to use some @@ -40,11 +47,13 @@ cd $PRGNAM-$VERSION chown -R root:root . chmod -R u+w,go+r-w,a-s . -# Apply a patch to have it globally honor the suPHP_Engine directive -patch -p0 --verbose < $CWD/suphp-$VERSION-vhosts.patch +# FCAPS: remove ruid-root check from source +if [ "$FCAPS" != "false" ]; then + patch --verbose -p1 < $CWD/patches/suphp-0.7.1-nosuid.diff +fi # Default to secure settings, as any of the configuration options -# can be overwritten in the config-file /etc/httpd/suphp.conf anyway +# can be overwritten in the config file /etc/httpd/suphp.conf anyway CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ @@ -55,25 +64,28 @@ CXXFLAGS="$SLKCFLAGS" \ --with-apache-user=$HTTPD_USER \ --with-logfile=/var/log/httpd/suphp_log \ --enable-static=no \ - --build=$ARCH-slackware-linux \ - --host=$ARCH-slackware-linux + --build=$ARCH-slackware-linux make -make install DESTDIR=$PKG -( cd $PKG - find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true - find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null -) +# Following only strips the wrapper +make install-strip DESTDIR=$PKG + +# Strip the DSO as well +find $PKG -type f | xargs file | grep "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip -v --strip-unneeded 2> /dev/null mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION cp -a AUTHORS COPYING ChangeLog doc/* $PKG/usr/doc/$PRGNAM-$VERSION cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild -cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.SBo +cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE mkdir -p $PKG/etc/httpd +cat $CWD/config/mod_suphp.conf > $PKG/etc/httpd/mod_suphp.conf.new + +# Make sure the user Apache runs as in correctly reflected sed s/'webserver_user=apache'/"webserver_user=$HTTPD_USER"/g \ - $CWD/suphp.conf >> $PKG/etc/httpd/suphp.conf.new + $CWD/config/suphp.conf > $PKG/etc/httpd/suphp.conf.new mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc @@ -81,15 +93,18 @@ cat $CWD/doinst.sh > $PKG/install/doinst.sh # Make sure the access permissions on target host are such that # only the group Apache runs as has access to it -echo "chgrp $HTTPD_GROUP usr/sbin/suphp" >> $PKG/install/doinst.sh -echo "chmod 4750 usr/sbin/suphp" >> $PKG/install/doinst.sh +chown root:$HTTPD_GROUP $PKG/usr/sbin/suphp + +# Install setuid unless caller requested otherwise +if [ "$FCAPS" != "false" ]; then + chmod 0750 $PKG/usr/sbin/suphp + # Note: on a chrooted Apache: this should fence the jail + echo 'setcap "cap_setgid=ep cap_setuid=ep" usr/sbin/suphp' \ + >> $PKG/install/doinst.sh +else + # Install setuid-root + chmod 4750 $PKG/usr/sbin/suphp +fi cd $PKG /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz - -# Clean up the extra stuff -if [ "$1" = "--cleanup" ]; then - rm -rf $TMP/$PRGNAM-$VERSION - rm -rf $PKG -fi - diff --git a/network/suphp/suphp.conf b/network/suphp/suphp.conf deleted file mode 100644 index 9bd6bcbafe..0000000000 --- a/network/suphp/suphp.conf +++ /dev/null @@ -1,46 +0,0 @@ -[global] -;Path to logfile -logfile=/var/log/httpd/suphp_log - -;Loglevel -loglevel=info - -;User Apache is running as -webserver_user=apache - -;Path all scripts have to be in -docroot=/var/www - -;Path to chroot() to before executing script -;chroot=/mychroot - -; Security options -allow_file_group_writeable=true -allow_file_others_writeable=false -allow_directory_group_writeable=true -allow_directory_others_writeable=false - -;Check wheter script is within DOCUMENT_ROOT -check_vhost_docroot=true - -;Send minor error messages to browser -errors_to_browser=true - -;PATH environment variable -env_path=/bin:/usr/bin:/usr/local/bin - -;Umask to set, specify in octal notation -umask=0077 - -; Minimum UID -min_uid=500 - -; Minimum GID -min_gid=100 - -[handlers] -;Handler for php-scripts -x-httpd-php=php:/usr/bin/php-cgi - -;Handler for CGI-scripts -x-suphp-cgi=execute:!self diff --git a/network/suphp/suphp.info b/network/suphp/suphp.info index d34d8d10d0..f5ff3e4d3f 100644 --- a/network/suphp/suphp.info +++ b/network/suphp/suphp.info @@ -1,8 +1,8 @@ PRGNAM="suphp" -VERSION="0.6.3" +VERSION="0.7.1" HOMEPAGE="http://www.suphp.org/" -DOWNLOAD="http://www.suphp.org/download/suphp-0.6.3.tar.gz" -MD5SUM="756e8893857fefed087a89959a87645a" +DOWNLOAD="http://www.suphp.org/download/suphp-0.7.1.tar.gz" +MD5SUM="c172dd4f15a75f4dcb08ea97d4202bb8" MAINTAINER="Menno Duursma" EMAIL="druiloor@zonnet.nl" APPROVED="rworkman"