network/suphp: Updated for version 0.7.1

11 files changed, 204 insertions, 124 deletions

diff --git a/network/suphp/README b/network/suphp/README
index 669b5b5bda..53352c3857 100644
--- a/network/suphp/README
+++ b/network/suphp/README
@@ -1,22 +1,4 @@
 suPHP is a tool for executing PHP scripts with the permissions of their
 owners. It consists of an Apache module (mod_suphp) and a setuid root
 binary (suphp) that is called by the Apache module to change the uid of
-the process executing the PHP interpreter.
-
-This version was compiled to look for its config-file in /etc/httpd
-rather then just /etc as 'httpd' looks there aswell.
-
-Some of the 'standard' /etc/httpd/httpd.conf directives include:
-
-  LoadModule suphp_module  /usr/lib/httpd/modules/mod_suphp.so
-  suPHP_Engine on
-  AddHandler x-httpd-php .php
-  suPHP_AddHandler x-httpd-php  
-  suPHP_UserGroup someuser users
-
-To use different php versions 'per vhost' see:
-http://www.howtoforge.com/apache2_suphp_php4_php5
-
-mod_php can be reduced (greatly) by rebuilding PHP for FastCGI and 
-using mod_fcgid; however, that requires additional configuration.
-See http://fastcgi.coremail.cn/configuration.htm for details.
+the process executing the PHP interpreter. See also README.SLACKWARE
diff --git a/network/suphp/README.SLACKWARE b/network/suphp/README.SLACKWARE
new file mode 100644
index 0000000000..b3aaa7451b
--- /dev/null
+++ b/network/suphp/README.SLACKWARE
@@ -0,0 +1,42 @@
+suphp README.SLACKWARE 
+
+This version was compiled to look for its config file in /etc/httpd
+rather then just /etc as 'httpd' looks there aswell.
+
+To enable this make sure to disable mod_php first, then (after editing
+as needed for your site) add to /etc/httpd/httpd.conf:
+ 
+  Include /etc/httpd/mod_suphp.conf
+
+Unlike suEXEC, suPHP tries to fix variables like $_SERVER['SCRIPT_NAME']
+
+Apache php_* directives in .htaccess files will only work if you install
+the 'htscanner' PHP extension (available from SBo also).  However, not
+every setting will work that way; using a php.ini per vhost is another
+option available, configurable in /etc/http/mod_suphp.conf
+
+Upon each connection getpwnam() and similar user-db functions are run,
+which may hinder performance on systems with many accounts (or that use
+some kind of external db system) in which case running 'nscd' may help:
+http://groups.google.nl/group/alt.os.linux.slackware/msg/7032b8ec0e2b11b3
+
+To use different php versions 'per vhost' see:
+http://www.howtoforge.com/apache2_suphp_php4_php5
+
+==
+
+Note on capabilities: FCAPS=true
+
+Which, if set, will install the wrapper non-setuid. For this to work
+however filesystem support must be available (ext3 has this support).
+Your backup tool might ignore, or not know about, extended attribs...
+
+Besides the 'apache' user must be able to write to its logfile, e.g.
+drwxrwxr-x 2 root apache 4096 2009-04-05 00:29 /var/log/httpd
+-rw-rw-r-- 1 root apache 2212 2009-04-05 13:45 /var/log/httpd/suphp_log
+Which might have some consequence in logrotate configuration too.
+
+In case Apache is chrooted (for instance with mod_chroot available from
+SBo as well), breaking out should be much harder if installed this way, as
+ptrace, chroot, etc will be unavailable to get via suphp within the jail.
+
diff --git a/network/suphp/config/mod_suphp.conf b/network/suphp/config/mod_suphp.conf
new file mode 100644
index 0000000000..60d6d157f2
--- /dev/null
+++ b/network/suphp/config/mod_suphp.conf
@@ -0,0 +1,41 @@
+# ===========================
+# == suPHP Apache module   ==
+# ===========================
+
+# Invite this baby in.
+LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so
+
+# Tell her what maybe on the menu here.
+AddHandler x-httpd-php .php .php3 .php4 .php5
+
+# This option tells mod_suphp if a PHP-script requested on this server (or
+# VirtualHost) should be run with the PHP-interpreter or returned to the
+# browser "as it is".
+suPHP_Engine on
+
+# This option tells mod_suphp which path to pass on to the PHP-interpreter
+# (by setting the PHPRC environment variable).
+# Do *NOT* refer to a file but to the directory the file resists in.
+# If you don't use this option, PHP will use its compiled in default path.
+#suPHP_ConfigPath (expects a path name)
+
+# Specify the user- and groupname to run PHP-scripts with. This setting
+# can only be used within a <Directory> or <Location> context.
+suPHP_UserGroup nfsnobody users
+
+# Tells mod_suphp to handle requests with the type <mime-type>.
+# Please note this only works, if an action for the handler is specified
+# in the suPHP configuration file. Settings on per-directory level supersede
+# settings made on per-server level.
+suPHP_AddHandler x-httpd-php
+
+# Tells mod_suphp NOT to handle requests with the type <mime-type>. This will
+# override the suPHP_AddHandler setting made on a higher configuration level.
+#suPHP_RemoveHandler <mime-type>
+
+# Sets the path to the PHP binary that is used to render files with the
+# "x-httpd-php" or "application/x-httpd-php" type. This setting does
+# *NOT* affect the PHP binary used for serving script requests, which is
+# still configured in suphp.conf.
+#suPHP_PHPPath (expects a path name)
+
diff --git a/network/suphp/config/suphp.conf b/network/suphp/config/suphp.conf
new file mode 100644
index 0000000000..b973e9f97e
--- /dev/null
+++ b/network/suphp/config/suphp.conf
@@ -0,0 +1,56 @@
+[global]
+; Path to logfile
+; This is set to where Apache logs reside aswell
+logfile=/var/log/httpd/suphp_log
+
+; Loglevel
+loglevel=info
+
+; User Apache is running as
+webserver_user=apache
+
+; Path all scripts have to be in
+; This should reflect the vhosts DocumentRoot
+docroot=/var/www:${HOME}/public_html
+
+; Path to chroot() to before executing script
+;chroot=/mychroot
+
+; Security options
+; Note: RedHat-like systems expect 'group_writeable' privs
+allow_file_group_writeable=false
+allow_file_others_writeable=false
+allow_directory_group_writeable=false
+allow_directory_others_writeable=false
+
+; Check wheter script is within DOCUMENT_ROOT
+check_vhost_docroot=true
+
+; Send minor error messages to browser
+errors_to_browser=true
+
+; PATH environment variable
+env_path=/bin:/usr/bin
+
+; Umask to set, specify in octal notation
+; Provided all users are in the 'users' group 072,
+; makes sure they cannot mess about eachothers files.
+; Note: homedirs can have <username>:apache 0710 perms!
+umask=0072
+
+; Minimum UID
+; The default Slackware NIS config uses this UID boundry
+min_uid=500
+
+; Minimum GID
+; The 'users' group
+min_gid=100
+
+[handlers]
+; Handler for php-scripts
+x-httpd-php="php:/usr/bin/php-cgi"
+
+; Handler for CGI-scripts
+; Similar in functionality to suEXEC
+x-suphp-cgi="execute:!self"
+
diff --git a/network/suphp/doinst.sh b/network/suphp/doinst.sh
index e796ae0a4e..58cc2362b2 100644
--- a/network/suphp/doinst.sh
+++ b/network/suphp/doinst.sh
@@ -11,5 +11,6 @@ config() {
   # Otherwise, we leave the .new copy for the admin to consider...
 }
 
+config etc/httpd/mod_suphp.conf.new
 config etc/httpd/suphp.conf.new
 
diff --git a/network/suphp/patches/suphp-0.7.1-nosuid.diff b/network/suphp/patches/suphp-0.7.1-nosuid.diff
new file mode 100644
index 0000000000..7a9b35de4e
--- /dev/null
+++ b/network/suphp/patches/suphp-0.7.1-nosuid.diff
@@ -0,0 +1,18 @@
+diff -ur suphp-0.7.1.orig/src/Application.cpp suphp-0.7.1/src/Application.cpp
+--- suphp-0.7.1.orig/src/Application.cpp	2009-03-14 18:55:25.000000000 +0100
++++ suphp-0.7.1/src/Application.cpp	2009-04-05 13:03:10.000000000 +0200
+@@ -174,12 +174,13 @@
+         throw SecurityException("Calling user is not webserver user!",
+                                 __FILE__, __LINE__);
+     }
+-
++#if 0
+     if (!api.getEffectiveProcessUser().isSuperUser()) {
+         throw SecurityException(
+             "Do not have root privileges. Executable not set-uid root?",
+             __FILE__, __LINE__);
+     }
++#endif
+ }
+ 
+ 
diff --git a/network/suphp/slack-desc b/network/suphp/slack-desc
index fa46fd1fd6..cefe0b4882 100644
--- a/network/suphp/slack-desc
+++ b/network/suphp/slack-desc
@@ -5,15 +5,15 @@
 # make exactly 11 lines for the formatting to be correct.  It's also
 # customary to leave one space after the ':'.
 
-     |-----handy-ruler------------------------------------------------------|
+     |-----handy-ruler-------------------------------------------------------|
 suphp: suPHP (an Apache module)
 suphp:
 suphp: mod_suphp is a module for executing PHP scripts with the permission
 suphp: of their owners rather then the user the webserver runs as. 
 suphp: It is similar to suEXEC for CGI/SSI but supports a configuration file.
-suphp: 
+suphp:
 suphp: It uses a setuid root wrapper binary (/usr/sbin/suphp) to change
 suphp: the uid of the process executing the PHP interpreter.
-suphp: 
+suphp:
 suphp: suPHP is maintained by Sebastian Marsching
 suphp:
diff --git a/network/suphp/suphp-0.6.3-vhosts.patch b/network/suphp/suphp-0.6.3-vhosts.patch
deleted file mode 100644
index ea6e13c996..0000000000
--- a/network/suphp/suphp-0.6.3-vhosts.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -ur src.std/apache/mod_suphp.c src/apache/mod_suphp.c
---- src.std/apache/mod_suphp.c	2006-09-23 19:04:36.000000000 +0200
-+++ src/apache/mod_suphp.c	2007-02-15 17:29:37.000000000 +0100
-@@ -249,9 +249,9 @@
-     {"suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, 
-      RSRC_CONF|ACCESS_CONF, TAKE2, "User and group scripts shall be run as"},
- #endif 
--    {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF,
-+    {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF|ACCESS_CONF,
-      ITERATE, "Tells mod_suphp to handle these MIME-types"},
--    {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF,
-+    {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF|ACCESS_CONF,
-      ITERATE, "Tells mod_suphp not to handle these MIME-types"},
-     {NULL}
- };
-diff -ur src.std/apache2/mod_suphp.c src/apache2/mod_suphp.c
---- src.std/apache2/mod_suphp.c	2006-11-06 01:57:12.000000000 +0100
-+++ src/apache2/mod_suphp.c	2007-02-15 17:30:35.000000000 +0100
-@@ -321,8 +321,8 @@
-     AP_INIT_TAKE2("suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, RSRC_CONF | ACCESS_CONF,
-                   "User and group scripts shall be run as"),
- #endif
--    AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
--    AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
-+    AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
-+    AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
-     {NULL}
- };
- 
diff --git a/network/suphp/suphp.SlackBuild b/network/suphp/suphp.SlackBuild
index 42515eb197..e3e9eff0cc 100644
--- a/network/suphp/suphp.SlackBuild
+++ b/network/suphp/suphp.SlackBuild
@@ -2,10 +2,14 @@
 
 # Slackware build script for suPHP
 
-# Written by Menno E. Duursma <druiloor@zonnet.nl>
+# Written by Menno Duursma <druiloor@zonnet.nl>
+
+# This program is free software. It comes without any warranty.
+# Granted WTFPLv2, as published by Sam Hocevar dec'04.
+# For details see http://sam.zoy.org/wtfpl/COPYING
 
 PRGNAM=suphp
-VERSION=0.6.3
+VERSION=${VERSION:-0.7.1}
 ARCH=${ARCH:-i486}
 BUILD=${BUILD:-1}
 TAG=${TAG:-_SBo}
@@ -13,7 +17,10 @@ TAG=${TAG:-_SBo}
 CWD=$(pwd)
 TMP=${TMP:-/tmp/SBo}
 PKG=$TMP/package-$PRGNAM
-OUTPUT=${OUTPUT:-/tmp}	# Drop the package in /tmp
+OUTPUT=${OUTPUT:-/tmp}
+
+# On capability enabled filesystems this may be enabled
+FCAPS=${FCAPS:-false}
 
 # The stock Apache on Slackware runs httpd under system
 # user/group account 'apache'. If you happen to use some
@@ -40,11 +47,13 @@ cd $PRGNAM-$VERSION
 chown -R root:root .
 chmod -R u+w,go+r-w,a-s .
 
-# Apply a patch to have it globally honor the suPHP_Engine directive
-patch -p0 --verbose < $CWD/suphp-$VERSION-vhosts.patch
+# FCAPS: remove ruid-root check from source
+if [ "$FCAPS" != "false" ]; then
+  patch --verbose -p1 < $CWD/patches/suphp-0.7.1-nosuid.diff
+fi
 
 # Default to secure settings, as any of the configuration options 
-# can be overwritten in the config-file /etc/httpd/suphp.conf anyway
+# can be overwritten in the config file /etc/httpd/suphp.conf anyway
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
 ./configure \
@@ -55,25 +64,28 @@ CXXFLAGS="$SLKCFLAGS" \
   --with-apache-user=$HTTPD_USER \
   --with-logfile=/var/log/httpd/suphp_log \
   --enable-static=no \
-  --build=$ARCH-slackware-linux \
-  --host=$ARCH-slackware-linux
+  --build=$ARCH-slackware-linux
 
 make
-make install DESTDIR=$PKG
 
-( cd $PKG
-  find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
-  find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
-)
+# Following only strips the wrapper
+make install-strip DESTDIR=$PKG
+
+# Strip the DSO as well
+find $PKG -type f  | xargs file | grep "shared object" | grep ELF \
+  | cut -f 1 -d : | xargs strip -v --strip-unneeded 2> /dev/null
 
 mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
 cp -a AUTHORS COPYING ChangeLog doc/* $PKG/usr/doc/$PRGNAM-$VERSION
 cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
-cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.SBo
+cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
 
 mkdir -p $PKG/etc/httpd
+cat $CWD/config/mod_suphp.conf > $PKG/etc/httpd/mod_suphp.conf.new
+
+# Make sure the user Apache runs as in correctly reflected
 sed s/'webserver_user=apache'/"webserver_user=$HTTPD_USER"/g \
-  $CWD/suphp.conf >> $PKG/etc/httpd/suphp.conf.new
+  $CWD/config/suphp.conf > $PKG/etc/httpd/suphp.conf.new
 
 mkdir -p $PKG/install
 cat $CWD/slack-desc > $PKG/install/slack-desc
@@ -81,15 +93,18 @@ cat $CWD/doinst.sh > $PKG/install/doinst.sh
 
 # Make sure the access permissions on target host are such that
 # only the group Apache runs as has access to it
-echo "chgrp $HTTPD_GROUP usr/sbin/suphp" >> $PKG/install/doinst.sh
-echo "chmod 4750 usr/sbin/suphp" >> $PKG/install/doinst.sh
+chown root:$HTTPD_GROUP $PKG/usr/sbin/suphp
+
+# Install setuid unless caller requested otherwise
+if [ "$FCAPS" != "false" ]; then
+  chmod 0750 $PKG/usr/sbin/suphp
+  # Note: on a chrooted Apache: this should fence the jail
+  echo 'setcap "cap_setgid=ep cap_setuid=ep" usr/sbin/suphp' \
+    >> $PKG/install/doinst.sh
+else
+  # Install setuid-root
+  chmod 4750 $PKG/usr/sbin/suphp
+fi
 
 cd $PKG
 /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz
-
-# Clean up the extra stuff
-if [ "$1" = "--cleanup" ]; then
-  rm -rf $TMP/$PRGNAM-$VERSION
-  rm -rf $PKG
-fi
-
diff --git a/network/suphp/suphp.conf b/network/suphp/suphp.conf
deleted file mode 100644
index 9bd6bcbafe..0000000000
--- a/network/suphp/suphp.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-[global]
-;Path to logfile
-logfile=/var/log/httpd/suphp_log
-
-;Loglevel
-loglevel=info
-
-;User Apache is running as
-webserver_user=apache
-
-;Path all scripts have to be in
-docroot=/var/www
-
-;Path to chroot() to before executing script
-;chroot=/mychroot
-
-; Security options
-allow_file_group_writeable=true
-allow_file_others_writeable=false
-allow_directory_group_writeable=true
-allow_directory_others_writeable=false
-
-;Check wheter script is within DOCUMENT_ROOT
-check_vhost_docroot=true
-
-;Send minor error messages to browser
-errors_to_browser=true
-
-;PATH environment variable
-env_path=/bin:/usr/bin:/usr/local/bin
-
-;Umask to set, specify in octal notation
-umask=0077
-
-; Minimum UID
-min_uid=500
-
-; Minimum GID
-min_gid=100
-
-[handlers]
-;Handler for php-scripts
-x-httpd-php=php:/usr/bin/php-cgi
-
-;Handler for CGI-scripts
-x-suphp-cgi=execute:!self
diff --git a/network/suphp/suphp.info b/network/suphp/suphp.info
index d34d8d10d0..f5ff3e4d3f 100644
--- a/network/suphp/suphp.info
+++ b/network/suphp/suphp.info
@@ -1,8 +1,8 @@
 PRGNAM="suphp"
-VERSION="0.6.3"
+VERSION="0.7.1"
 HOMEPAGE="http://www.suphp.org/"
-DOWNLOAD="http://www.suphp.org/download/suphp-0.6.3.tar.gz"
-MD5SUM="756e8893857fefed087a89959a87645a"
+DOWNLOAD="http://www.suphp.org/download/suphp-0.7.1.tar.gz"
+MD5SUM="c172dd4f15a75f4dcb08ea97d4202bb8"
 MAINTAINER="Menno Duursma"
 EMAIL="druiloor@zonnet.nl"
 APPROVED="rworkman"