summaryrefslogtreecommitdiff
path: root/network/suphp
diff options
context:
space:
mode:
Diffstat (limited to 'network/suphp')
-rw-r--r--network/suphp/README29
-rw-r--r--network/suphp/doinst.sh16
-rw-r--r--network/suphp/slack-desc11
-rw-r--r--network/suphp/suphp-0.6.2-vhosts.patch29
-rw-r--r--network/suphp/suphp.SlackBuild96
-rw-r--r--network/suphp/suphp.conf46
-rw-r--r--network/suphp/suphp.info7
7 files changed, 234 insertions, 0 deletions
diff --git a/network/suphp/README b/network/suphp/README
new file mode 100644
index 0000000000..14cce5e792
--- /dev/null
+++ b/network/suphp/README
@@ -0,0 +1,29 @@
+suPHP is a tool for executing PHP scripts with the permissions of their
+owners. It consists of an Apache module (mod_suphp) and a setuid root
+binary (suphp) that is called by the Apache module to change the uid of
+the process executing the PHP interpreter.
+
+This version was compiled to look for its config-file in /etc/apache
+rather then just /etc as 'httpd' looks there aswell.
+
+Some of the 'standard' /etc/apache/httpd.conf directives include:
+
+ LoadModule suphp_module /usr/libexec/apache/mod_suphp.so
+ suPHP_Engine on
+ AddHandler x-httpd-php .php
+ suPHP_AddHandler x-httpd-php
+ suPHP_UserGroup someuser users
+
+To use different php versions 'per vhost' see:
+http://www.howtoforge.com/apache2_suphp_php4_php5
+
+suPHP needs a CGI build of the .php interpreter, usually named 'php-cgi'
+implying having to (re)compile PHP with in place of '--with-apxs'
+
+ '--enable-force-cgi-redirect'
+
+Note that it being somewhat slower then mod_php can be redused
+(grately) by building for the FastCGI too and using mod_fcgid
+however that would need additional configuration, see:
+http://fastcgi.coremail.cn/configuration.htm
+
diff --git a/network/suphp/doinst.sh b/network/suphp/doinst.sh
new file mode 100644
index 0000000000..3f513b956f
--- /dev/null
+++ b/network/suphp/doinst.sh
@@ -0,0 +1,16 @@
+config() {
+ NEW="$1"
+ OLD="`dirname $NEW`/`basename $NEW .new`"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then
+ # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+# Add a sample config-file, if only for documentation
+config etc/apache/suphp.conf.new
+
diff --git a/network/suphp/slack-desc b/network/suphp/slack-desc
new file mode 100644
index 0000000000..e3a705a61d
--- /dev/null
+++ b/network/suphp/slack-desc
@@ -0,0 +1,11 @@
+suphp: suPHP
+suphp:
+suphp: mod_suphp is a module for executing PHP scripts with the permission
+suphp: of their owers rather then the user the webserver runs as. Similar
+suphp: to suEXEC for CGI/SSI, but supporting a configuration file.
+suphp:
+suphp: It uses a setuid root wrapper binary (/usr/sbin/suphp) to change
+suphp: the uid of the process executing the PHP interpreter.
+suphp:
+suphp: suPHP is maintained by: Sebastian Marsching
+suphp:
diff --git a/network/suphp/suphp-0.6.2-vhosts.patch b/network/suphp/suphp-0.6.2-vhosts.patch
new file mode 100644
index 0000000000..ea6e13c996
--- /dev/null
+++ b/network/suphp/suphp-0.6.2-vhosts.patch
@@ -0,0 +1,29 @@
+diff -ur src.std/apache/mod_suphp.c src/apache/mod_suphp.c
+--- src.std/apache/mod_suphp.c 2006-09-23 19:04:36.000000000 +0200
++++ src/apache/mod_suphp.c 2007-02-15 17:29:37.000000000 +0100
+@@ -249,9 +249,9 @@
+ {"suPHP_UserGroup", suphp_handle_cmd_user_group, NULL,
+ RSRC_CONF|ACCESS_CONF, TAKE2, "User and group scripts shall be run as"},
+ #endif
+- {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF,
++ {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF|ACCESS_CONF,
+ ITERATE, "Tells mod_suphp to handle these MIME-types"},
+- {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF,
++ {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF|ACCESS_CONF,
+ ITERATE, "Tells mod_suphp not to handle these MIME-types"},
+ {NULL}
+ };
+diff -ur src.std/apache2/mod_suphp.c src/apache2/mod_suphp.c
+--- src.std/apache2/mod_suphp.c 2006-11-06 01:57:12.000000000 +0100
++++ src/apache2/mod_suphp.c 2007-02-15 17:30:35.000000000 +0100
+@@ -321,8 +321,8 @@
+ AP_INIT_TAKE2("suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, RSRC_CONF | ACCESS_CONF,
+ "User and group scripts shall be run as"),
+ #endif
+- AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
+- AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
++ AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
++ AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
+ {NULL}
+ };
+
diff --git a/network/suphp/suphp.SlackBuild b/network/suphp/suphp.SlackBuild
new file mode 100644
index 0000000000..e2072d42b2
--- /dev/null
+++ b/network/suphp/suphp.SlackBuild
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# Slackware build script for suPHP
+
+# Written by Menno E. Duursma <druiloor@zonnet.nl>
+
+# Exit on most errors
+set -e
+
+PRGNAM=suphp
+VERSION=0.6.2
+ARCH=${ARCH:-i486}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+CWD=`pwd`
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp} # Drop the package in /tmp
+
+# The stock Apache on Slackware runs httpd onder system
+# user/group account 'nobody'. If you happen to use some
+# other account (which should improve security) change below
+# and make sure /etc/apache/suphp.conf matches
+HTTPD_USER=nobody
+HTTPD_GROUP=nobody
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+elif [ "$ARCH" = "i686" ]; then
+ SLKCFLAGS="-O2 -march=i686 -mtune=i686"
+fi
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$VERSION
+tar -xzvf $CWD/$PRGNAM-$VERSION.tar.gz
+cd $PRGNAM-$VERSION
+chown -R root:root .
+chmod -R u+w,go+r-w,a-s .
+
+# Apply patch to have it globally honor the suPHP_Engine directive
+cat $CWD/suphp-0.6.2-vhosts.patch | patch -p0 --verbose
+
+# Default to secure settings, as any of the configuretion options
+# can be overwritten in the config-file /etc/apache/suphp.conf anyways
+CFLAGS="$SLKCFLAGS" \
+CXXFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --with-apr=/usr/bin/apr-1-config \
+ --with-apxs=/usr/sbin/apxs \
+ --sysconfdir=/etc/apache \
+ --with-apache-user=$HTTPD_USER \
+ --with-logfile=/var/log/apache/suphp_log
+
+# Compile the application and install it into the $PKG directory
+make
+make install-strip DESTDIR=$PKG
+
+# The above misses Apache module
+( cd $PKG
+ strip --strip-unneeded usr/libexec/apache/mod_suphp.so
+)
+
+# Copy program documentation into the package
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a AUTHORS COPYING ChangeLog doc/* $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+
+# Add a sample configuration file
+mkdir -p $PKG/etc/apache
+cat $CWD/suphp.conf \
+ | tr 'webserver_user=nobody' "webserver_user=$HTTPD_USER" \
+ >> $PKG/etc/apache/suphp.conf.new
+
+# Copy the slack-desc (and a custom doinst.sh if necessary) into ./install
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+# Make sure the access permissions on target host are such that
+# only the group Apache runs as has access to it
+echo "chgrp $HTTPD_GROUP usr/sbin/suphp" >> $PKG/install/doinst.sh
+echo "chmod 4750 usr/sbin/suphp" >> $PKG/install/doinst.sh
+
+# Make the package; be sure to leave it in $OUTPUT
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz
+
+# Clean up the extra stuff
+if [ "$1" = "--cleanup" ]; then
+ rm -rf $TMP/$PRGNAM-$VERSION
+ rm -rf $PKG
+fi
+
diff --git a/network/suphp/suphp.conf b/network/suphp/suphp.conf
new file mode 100644
index 0000000000..39bc18936b
--- /dev/null
+++ b/network/suphp/suphp.conf
@@ -0,0 +1,46 @@
+[global]
+;Path to logfile
+logfile=/var/log/apache/suphp_log
+
+;Loglevel
+loglevel=info
+
+;User Apache is running as
+webserver_user=nobody
+
+;Path all scripts have to be in
+docroot=/var/www
+
+;Path to chroot() to before executing script
+;chroot=/mychroot
+
+; Security options
+allow_file_group_writeable=true
+allow_file_others_writeable=false
+allow_directory_group_writeable=true
+allow_directory_others_writeable=false
+
+;Check wheter script is within DOCUMENT_ROOT
+check_vhost_docroot=true
+
+;Send minor error messages to browser
+errors_to_browser=true
+
+;PATH environment variable
+env_path=/bin:/usr/bin:/usr/local/bin
+
+;Umask to set, specify in octal notation
+umask=0077
+
+; Minimum UID
+min_uid=500
+
+; Minimum GID
+min_gid=100
+
+[handlers]
+;Handler for php-scripts
+x-httpd-php=php:/usr/bin/php-cgi
+
+;Handler for CGI-scripts
+x-suphp-cgi=execute:!self
diff --git a/network/suphp/suphp.info b/network/suphp/suphp.info
new file mode 100644
index 0000000000..4de41dcdb8
--- /dev/null
+++ b/network/suphp/suphp.info
@@ -0,0 +1,7 @@
+PRGNAM="suphp"
+HOMEPAGE="http://www.suphp.org/"
+DOWNLOAD="http://www.suphp.org/download/suphp-0.6.2.tar.gz"
+MD5SUM="06ca9e592a5c6dd3dcb9360c958369c1"
+MAINTAINER="Menno Duursma"
+EMAIL="druiloor@zonnet.nl"
+APPROVED="BP{k}" \ No newline at end of file