Want a very secure Apache / PHP setup?
SuEXEC allows CGI execution under user own accounts and not webserver one. So, if a security hole is exploited through a script, that’s normally – if your FreeBSD server is correctly chmoded – gives access to resources.
The genuine SuEXEC drawback is you’ve to prefix each, as any other CGI script (remember #!/usr/bin/perl ?). We’ll slightly edit the SuEXEC.c code to avoid that.
SuEXEC will force you to chmod correctly and securely your web content: 700 the scripts, 711 the directories (755 to allow list them). If that’s sounds too paranoid or you’re tired of your users’ complaints, you can ask SuEXEC to ignore permissions check (but what’s the interest of this method in this case? You should consider chroot instead.). If you’re a console guru, I’ve coded an autochmod script to make our life paranoid but easier 😉
Okay, let’s begin with the usual stuff: PHP, the libraries, MySQL … You should compile them from scratch one day, it’s a very great experience but today, but if I were you, I’d waited not have any other solution (e.g. test PHP 6 beta). So use ports (or packages or rpm or what you want) Oh, and you’ll find excellent precompiled binaries versions MySQL prepared with Intel compiler, in theory more optimized than cc or gcc compilation. Give them a try.
Oh, don’t forget –enable-discard-path in PHP!
Now, Apache 2. Okay, we can prepare a patch for the port/package/what you want system but Apache is very quick and easy to compile:
- wget http://apache.multidist.com/httpd/httpd-2.0.59.tar.bz2
- tar xjf httpd-2.0.59.tar.bz2
- cd httpd-2.0.59
- ./configure –help to see all the options
SuEXEC wants you specify at least one parameter as a proof you’ve read documentation.
Here, I wish full mod rewrite support, so I enable mod_proxy, mod_proxy_http and mod_rewrite. Speling (yes, with only one l) try to suggest URLs spelling correction instead when a 404 error occurs.
- ./configure –enable-deflate –enable-mime-magic –enable-proxy –enable-proxy-http –enable-ssl –enable-http –enable-info —enable-suexec –enable-vhost-alias –enable-speling –enable-so –enable-rewrite –with-suexec-docroot=/home/wwwroot –with-suexec-uidmin=1000 –with-suexec-gidmin=1000 –with-suexec-logfile=/var/log/httpd/suexec.log
- make
- make install
To access to our websites, we need 711 or 755 directories the entire path. I like /home/wwwroot/mydomain.com/subdomain structure (e.g. /home/wwwroot/dereckson.be/www or /home/wwwroot/espace-win.org/pastebin):
- chmod 711 /home (on a private server, with trusty users interacting with others, chmod 755 have a sense)
- mkdir /home/wwwroot
- chmod 711 /home/wwwroot
Try your webserver. It’s important as now you’re sure the following bugs come from SuEXEC configuration error path permissions problems (httpd main or vhost error log and suexec.log are your best friends).
When all is okay, let’s hack support/suexec.c (in your httpd source directory):
Find (near the end of file):
execv(cmd, &argv[3]);
Replace by:
-
if (strstr(cmd, “.phps”)) {
-
execl(“/usr/local/bin/php-cgi”, “php-cgi”, “-s”, cmd, NULL);
-
} else if (strstr(cmd, “.php”)) {
-
execl(“/usr/local/bin/php-cgi”, “php-cgi”, cmd, NULL);
-
} else {
-
execv(cmd, &argv[3]);
-
}
suexec.c PHP friendly hack – Dereckson
Now, in httpd.conf you’ve to configure php and phps as CGI.
[ This is a rough draft, drop a comment if you want any precision or the sequel ]
Autochmod :
#-print0 / xargs -0 permet de gérer les espaces 🙂
#Tout d’abord les dossiers en 755
find -type d -print0 | xargs -0 chmod 755
#Par défaut, tous les fichiers vont en 644 :
find -type f -print0 | xargs -0 chmod 644
#2ème tour, les scripts en 700
#-iname afin de traiter aussi .PHP .CgI …
find -type f -iname "*.php" -print0 | xargs -0 chmod 700
find -type f -iname "*.php3" -print0 | xargs -0 chmod 700
find -type f -iname "*.phps" -print0 | xargs -0 chmod 700
find -type f -iname "*.tcl" -print0 | xargs -0 chmod 700
find -type f -iname "*.cgi" -print0 | xargs -0 chmod 700
find -type f -iname "*.pl" -print0 | xargs -0 chmod 700
La version du patch SuEXEC que j’avais préparé pour les serveurs Espace Win (de mémoire, la fonction match_ext doit être extraite du code source de mencoder ou de ffmpeg) :
dereckson.devio.us/patche…