From 950dbcc826ae0cf24cca4dff16f23614b790b90b Mon Sep 17 00:00:00 2001 From: Menno Duursma Date: Tue, 11 May 2010 15:01:36 +0200 Subject: network/suphp: Initial import --- network/suphp/README | 29 ++++++++++ network/suphp/doinst.sh | 16 ++++++ network/suphp/slack-desc | 11 ++++ network/suphp/suphp-0.6.2-vhosts.patch | 29 ++++++++++ network/suphp/suphp.SlackBuild | 96 ++++++++++++++++++++++++++++++++++ network/suphp/suphp.conf | 46 ++++++++++++++++ network/suphp/suphp.info | 7 +++ 7 files changed, 234 insertions(+) create mode 100644 network/suphp/README create mode 100644 network/suphp/doinst.sh create mode 100644 network/suphp/slack-desc create mode 100644 network/suphp/suphp-0.6.2-vhosts.patch create mode 100644 network/suphp/suphp.SlackBuild create mode 100644 network/suphp/suphp.conf create mode 100644 network/suphp/suphp.info diff --git a/network/suphp/README b/network/suphp/README new file mode 100644 index 0000000000..14cce5e792 --- /dev/null +++ b/network/suphp/README @@ -0,0 +1,29 @@ +suPHP is a tool for executing PHP scripts with the permissions of their +owners. It consists of an Apache module (mod_suphp) and a setuid root +binary (suphp) that is called by the Apache module to change the uid of +the process executing the PHP interpreter. + +This version was compiled to look for its config-file in /etc/apache +rather then just /etc as 'httpd' looks there aswell. + +Some of the 'standard' /etc/apache/httpd.conf directives include: + + LoadModule suphp_module /usr/libexec/apache/mod_suphp.so + suPHP_Engine on + AddHandler x-httpd-php .php + suPHP_AddHandler x-httpd-php + suPHP_UserGroup someuser users + +To use different php versions 'per vhost' see: +http://www.howtoforge.com/apache2_suphp_php4_php5 + +suPHP needs a CGI build of the .php interpreter, usually named 'php-cgi' +implying having to (re)compile PHP with in place of '--with-apxs' + + '--enable-force-cgi-redirect' + +Note that it being somewhat slower then mod_php can be redused +(grately) by building for the FastCGI too and using mod_fcgid +however that would need additional configuration, see: +http://fastcgi.coremail.cn/configuration.htm + diff --git a/network/suphp/doinst.sh b/network/suphp/doinst.sh new file mode 100644 index 0000000000..3f513b956f --- /dev/null +++ b/network/suphp/doinst.sh @@ -0,0 +1,16 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +# Add a sample config-file, if only for documentation +config etc/apache/suphp.conf.new + diff --git a/network/suphp/slack-desc b/network/suphp/slack-desc new file mode 100644 index 0000000000..e3a705a61d --- /dev/null +++ b/network/suphp/slack-desc @@ -0,0 +1,11 @@ +suphp: suPHP +suphp: +suphp: mod_suphp is a module for executing PHP scripts with the permission +suphp: of their owers rather then the user the webserver runs as. Similar +suphp: to suEXEC for CGI/SSI, but supporting a configuration file. +suphp: +suphp: It uses a setuid root wrapper binary (/usr/sbin/suphp) to change +suphp: the uid of the process executing the PHP interpreter. +suphp: +suphp: suPHP is maintained by: Sebastian Marsching +suphp: diff --git a/network/suphp/suphp-0.6.2-vhosts.patch b/network/suphp/suphp-0.6.2-vhosts.patch new file mode 100644 index 0000000000..ea6e13c996 --- /dev/null +++ b/network/suphp/suphp-0.6.2-vhosts.patch @@ -0,0 +1,29 @@ +diff -ur src.std/apache/mod_suphp.c src/apache/mod_suphp.c +--- src.std/apache/mod_suphp.c 2006-09-23 19:04:36.000000000 +0200 ++++ src/apache/mod_suphp.c 2007-02-15 17:29:37.000000000 +0100 +@@ -249,9 +249,9 @@ + {"suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, + RSRC_CONF|ACCESS_CONF, TAKE2, "User and group scripts shall be run as"}, + #endif +- {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, ++ {"suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF|ACCESS_CONF, + ITERATE, "Tells mod_suphp to handle these MIME-types"}, +- {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, ++ {"suphp_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF|ACCESS_CONF, + ITERATE, "Tells mod_suphp not to handle these MIME-types"}, + {NULL} + }; +diff -ur src.std/apache2/mod_suphp.c src/apache2/mod_suphp.c +--- src.std/apache2/mod_suphp.c 2006-11-06 01:57:12.000000000 +0100 ++++ src/apache2/mod_suphp.c 2007-02-15 17:30:35.000000000 +0100 +@@ -321,8 +321,8 @@ + AP_INIT_TAKE2("suPHP_UserGroup", suphp_handle_cmd_user_group, NULL, RSRC_CONF | ACCESS_CONF, + "User and group scripts shall be run as"), + #endif +- AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"), +- AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"), ++ AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"), ++ AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"), + {NULL} + }; + diff --git a/network/suphp/suphp.SlackBuild b/network/suphp/suphp.SlackBuild new file mode 100644 index 0000000000..e2072d42b2 --- /dev/null +++ b/network/suphp/suphp.SlackBuild @@ -0,0 +1,96 @@ +#!/bin/sh + +# Slackware build script for suPHP + +# Written by Menno E. Duursma + +# Exit on most errors +set -e + +PRGNAM=suphp +VERSION=0.6.2 +ARCH=${ARCH:-i486} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} +CWD=`pwd` +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} # Drop the package in /tmp + +# The stock Apache on Slackware runs httpd onder system +# user/group account 'nobody'. If you happen to use some +# other account (which should improve security) change below +# and make sure /etc/apache/suphp.conf matches +HTTPD_USER=nobody +HTTPD_GROUP=nobody + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" +fi + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar -xzvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +chmod -R u+w,go+r-w,a-s . + +# Apply patch to have it globally honor the suPHP_Engine directive +cat $CWD/suphp-0.6.2-vhosts.patch | patch -p0 --verbose + +# Default to secure settings, as any of the configuretion options +# can be overwritten in the config-file /etc/apache/suphp.conf anyways +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --with-apr=/usr/bin/apr-1-config \ + --with-apxs=/usr/sbin/apxs \ + --sysconfdir=/etc/apache \ + --with-apache-user=$HTTPD_USER \ + --with-logfile=/var/log/apache/suphp_log + +# Compile the application and install it into the $PKG directory +make +make install-strip DESTDIR=$PKG + +# The above misses Apache module +( cd $PKG + strip --strip-unneeded usr/libexec/apache/mod_suphp.so +) + +# Copy program documentation into the package +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a AUTHORS COPYING ChangeLog doc/* $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +# Add a sample configuration file +mkdir -p $PKG/etc/apache +cat $CWD/suphp.conf \ + | tr 'webserver_user=nobody' "webserver_user=$HTTPD_USER" \ + >> $PKG/etc/apache/suphp.conf.new + +# Copy the slack-desc (and a custom doinst.sh if necessary) into ./install +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +# Make sure the access permissions on target host are such that +# only the group Apache runs as has access to it +echo "chgrp $HTTPD_GROUP usr/sbin/suphp" >> $PKG/install/doinst.sh +echo "chmod 4750 usr/sbin/suphp" >> $PKG/install/doinst.sh + +# Make the package; be sure to leave it in $OUTPUT +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz + +# Clean up the extra stuff +if [ "$1" = "--cleanup" ]; then + rm -rf $TMP/$PRGNAM-$VERSION + rm -rf $PKG +fi + diff --git a/network/suphp/suphp.conf b/network/suphp/suphp.conf new file mode 100644 index 0000000000..39bc18936b --- /dev/null +++ b/network/suphp/suphp.conf @@ -0,0 +1,46 @@ +[global] +;Path to logfile +logfile=/var/log/apache/suphp_log + +;Loglevel +loglevel=info + +;User Apache is running as +webserver_user=nobody + +;Path all scripts have to be in +docroot=/var/www + +;Path to chroot() to before executing script +;chroot=/mychroot + +; Security options +allow_file_group_writeable=true +allow_file_others_writeable=false +allow_directory_group_writeable=true +allow_directory_others_writeable=false + +;Check wheter script is within DOCUMENT_ROOT +check_vhost_docroot=true + +;Send minor error messages to browser +errors_to_browser=true + +;PATH environment variable +env_path=/bin:/usr/bin:/usr/local/bin + +;Umask to set, specify in octal notation +umask=0077 + +; Minimum UID +min_uid=500 + +; Minimum GID +min_gid=100 + +[handlers] +;Handler for php-scripts +x-httpd-php=php:/usr/bin/php-cgi + +;Handler for CGI-scripts +x-suphp-cgi=execute:!self diff --git a/network/suphp/suphp.info b/network/suphp/suphp.info new file mode 100644 index 0000000000..4de41dcdb8 --- /dev/null +++ b/network/suphp/suphp.info @@ -0,0 +1,7 @@ +PRGNAM="suphp" +HOMEPAGE="http://www.suphp.org/" +DOWNLOAD="http://www.suphp.org/download/suphp-0.6.2.tar.gz" +MD5SUM="06ca9e592a5c6dd3dcb9360c958369c1" +MAINTAINER="Menno Duursma" +EMAIL="druiloor@zonnet.nl" +APPROVED="BP{k}" \ No newline at end of file -- cgit v1.2.3