Any PHP suexec?

Any PHP suexec?

Post by Mr. Chow Wing Si » Sat, 18 Aug 2001 23:53:05



Hi,

I would like to know if there's any PHP suexec to let user's page
running as his/her UID?  Thanks.

--
Johnson Chow

 
 
 

Any PHP suexec?

Post by Nikola Milutinovi » Sat, 18 Aug 2001 14:49:02




Quote:> Hi,

> I would like to know if there's any PHP suexec to let user's page
> running as his/her UID?  Thanks.

SuEXEC can work only on CGI programs (why do we call these things CGI
scripts? They are any kind of executable...). So, the only solution is to
run PHP as CGI module, rather than Apache mod_php.

Would it be possible, in some distant future, to tell Apache to run under
the user-owner of the virtual host? That would be most logical for me. That
would require main Apache process to be root, which does open some space for
buffer overflows. OTOH, Apache would be root for the minimal time, just
enough to determine which VirtualHost it should be and switch to it. I
realize this "minimal" time might be long from Apache's point of view.

Nix.

 
 
 

Any PHP suexec?

Post by Joshua Sliv » Sat, 18 Aug 2001 23:15:26



> Would it be possible, in some distant future, to tell Apache to run under
> the user-owner of the virtual host? That would be most logical for me. That
> would require main Apache process to be root, which does open some space for
> buffer overflows. OTOH, Apache would be root for the minimal time, just
> enough to determine which VirtualHost it should be and switch to it. I
> realize this "minimal" time might be long from Apache's point of view.

That's not the real problem.  The problem is that once Apache switches
from root to the other userid, it must give up all ability to switch
back to root.  Therefore, the process would only be able to serve
that one request before dying. This would vastly slow down the
server, since creating new processes is very expensive.

On the other hand, Apache 2.0 has an experimental "MPM" called
"perchild" which will keep a pool of processes running under
different userids, and will pass requests to the appropriate
process.

--
Joshua Slive

http://slive.ca/

 
 
 

Any PHP suexec?

Post by Nikola Milutinovi » Tue, 21 Aug 2001 14:53:50




> > Would it be possible, in some distant future, to tell Apache to run
under
> > the user-owner of the virtual host? That would be most logical for me.
That

> That's not the real problem.  The problem is that once Apache switches
> from root to the other userid, it must give up all ability to switch
> back to root.  Therefore, the process would only be able to serve
> that one request before dying. This would vastly slow down the
> server, since creating new processes is very expensive.

Yes, you're right.

Quote:> On the other hand, Apache 2.0 has an experimental "MPM" called
> "perchild" which will keep a pool of processes running under
> different userids, and will pass requests to the appropriate
> process.

So, will Apache 2.0 work the way I described? Can you setup something like:

NameVirtualHost 192.168.61.16:80
<VirtualHost 192.168.61.16>
    ServerName      Mercury.ev.co.yu
    DocumentRoot    /usr/users/mercury/public_html

    ErrorLog        /usr/users/mercury/logs/error.log
    CustomLog       /usr/users/mercury/logs/access.log common
    User mercury
    Group httpd

    <IfModule mod_alias.c>
        ScriptAlias /cgi-bin/ "/usr/users/mercury/cgi-bin/"
    </IfModule>
</VirtualHost>

And then all requests for http://Mercury.ev.co.yu/... would be directed to
the process with UID=mercury? And that process would be bound to serve
*that* particular virtual server?

Nix.

 
 
 

Any PHP suexec?

Post by Joshua Sli » Tue, 21 Aug 2001 23:10:55



> And then all requests for http://Mercury.ev.co.yu/... would be directed to
> the process with UID=mercury? And that process would be bound to serve
> *that* particular virtual server?

Yes, that is essentially it.  I don't know if it is working at the
moment, but that is certainly the eventual plan.

Joshua.

 
 
 

1. Apache/PHP/suexec-Question

I have a running Apache server with PHP compiled as module. Suexec
works, as I can see from my log file.
Now the problem: My PHP-script needs to create subdirs under
/usr/local/httpd/htdocs, so I tried suexec. The script is in
document_root, owner is a normal user, group and world can read and
execute, but not write. But the script does not work (mkdir - permission
denied). The user himself can create the subdirs, so I guess the script
is not run by the suexec-wrapper.

Any help greatly appreciated.

2. difference in [ and [[ in ksh

3. suEXEC and PHP

4. something like loadkeys for X

5. Apache, suexec and php

6. questions for CSPLIT?

7. Apache + SUEXEC + PHP = Question

8. subnetting on sunOS 4.1.1

9. Suexec and php

10. RewriteRule for suexec and php

11. suEXEC, PHP, virtual hosts, security, permissions

12. Apache w/ PHP and SSL: w/ PHP OK - w/out PHP NOK

13. suEXEC / non suEXEC performance